d3499ba260ca5d94830789511fc893a91504efd99d5d2b42ce0ba0329be68476

Analysis

max time kernel
16s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/12/2023, 19:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f1f60cbae8c537856ec60153d58eb0f.exe
Size

484KB
MD5

0f1f60cbae8c537856ec60153d58eb0f
SHA1

8c9cd4230110d20ab1070997852dffafa8c902ec
SHA256

d3499ba260ca5d94830789511fc893a91504efd99d5d2b42ce0ba0329be68476
SHA512

f7dba680cfc2652ed3f028add7d562f2a29477b487cdb1fe097ad3a8f98f3c962695d2b8ffab70fabfb327adfe491a81ab5a3be1376bc7fe6d39fbde2945647f
SSDEEP

12288:Tjol5Ksngu9L9Zumrf0KjuH0T2tMa5fUrhOoxs:TjolwwHjf7Q5txdNoxs

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 60 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	0f1f60cbae8c537856ec60153d58eb0f.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	0f1f60cbae8c537856ec60153d58eb0f.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WMIADAP.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	0f1f60cbae8c537856ec60153d58eb0f.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe

UAC bypass 3 TTPs 62 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0f1f60cbae8c537856ec60153d58eb0f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WMIADAP.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0f1f60cbae8c537856ec60153d58eb0f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe

Renames multiple (66) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 3 IoCs

pid	Process
2308	AmwkUEcU.exe
1128	EEgkYAwM.exe
2688	mwcoIAkQ.exe

Loads dropped DLL 22 IoCs

pid	Process
1336	0f1f60cbae8c537856ec60153d58eb0f.exe
1336	0f1f60cbae8c537856ec60153d58eb0f.exe
1336	0f1f60cbae8c537856ec60153d58eb0f.exe
1336	0f1f60cbae8c537856ec60153d58eb0f.exe
2308	AmwkUEcU.exe
2308	AmwkUEcU.exe
2308	AmwkUEcU.exe
2308	AmwkUEcU.exe
2308	AmwkUEcU.exe
2308	AmwkUEcU.exe
2308	AmwkUEcU.exe
2308	AmwkUEcU.exe
2308	AmwkUEcU.exe
2308	AmwkUEcU.exe
2308	AmwkUEcU.exe
2308	AmwkUEcU.exe
2308	AmwkUEcU.exe
2308	AmwkUEcU.exe
2308	AmwkUEcU.exe
2308	AmwkUEcU.exe
2308	AmwkUEcU.exe
2308	AmwkUEcU.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\AmwkUEcU.exe = "C:\\Users\\Admin\\DcwYIIEE\\AmwkUEcU.exe"	0f1f60cbae8c537856ec60153d58eb0f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EEgkYAwM.exe = "C:\\ProgramData\\qkIEAokk\\EEgkYAwM.exe"	0f1f60cbae8c537856ec60153d58eb0f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\AmwkUEcU.exe = "C:\\Users\\Admin\\DcwYIIEE\\AmwkUEcU.exe"	AmwkUEcU.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EEgkYAwM.exe = "C:\\ProgramData\\qkIEAokk\\EEgkYAwM.exe"	EEgkYAwM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EEgkYAwM.exe = "C:\\ProgramData\\qkIEAokk\\EEgkYAwM.exe"	mwcoIAkQ.exe

Checks whether UAC is enabled 1 TTPs 18 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0f1f60cbae8c537856ec60153d58eb0f.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0f1f60cbae8c537856ec60153d58eb0f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0f1f60cbae8c537856ec60153d58eb0f.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0f1f60cbae8c537856ec60153d58eb0f.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\DcwYIIEE	mwcoIAkQ.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\DcwYIIEE\AmwkUEcU	mwcoIAkQ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
312	reg.exe
1668	reg.exe
540	reg.exe
2032	reg.exe
2128	reg.exe
2692	reg.exe
1748	reg.exe
2184	reg.exe
2876	reg.exe
2840	reg.exe
2292	reg.exe
1804	reg.exe
2256	reg.exe
1152	reg.exe
1680	reg.exe
1908	reg.exe
2320	reg.exe
1812	reg.exe
2848	reg.exe
1396	reg.exe
1492	reg.exe
2300	reg.exe
2280	reg.exe
2328	reg.exe
2020	reg.exe
1828	reg.exe
1716	reg.exe
2496	reg.exe
1640	reg.exe
2528	reg.exe
2172	reg.exe
1028	reg.exe
1748	reg.exe
2612	reg.exe
2148	reg.exe
3024	reg.exe
2848	reg.exe
1492	reg.exe
352	reg.exe
1048	reg.exe
2444	reg.exe
1268	reg.exe
1388	reg.exe
3068	reg.exe
352	reg.exe
2504	reg.exe
2224	reg.exe
1856	reg.exe
1876	reg.exe
1988	reg.exe
2488	reg.exe
2280	reg.exe
2044	reg.exe
1984	reg.exe
1488	reg.exe
2036	reg.exe
1724	reg.exe
2492	reg.exe
2168	reg.exe
2860	reg.exe
2980	reg.exe
2356	reg.exe
1528	reg.exe
1660	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1336	0f1f60cbae8c537856ec60153d58eb0f.exe
1336	0f1f60cbae8c537856ec60153d58eb0f.exe
2952	0f1f60cbae8c537856ec60153d58eb0f.exe
2952	0f1f60cbae8c537856ec60153d58eb0f.exe
2656	0f1f60cbae8c537856ec60153d58eb0f.exe
2656	0f1f60cbae8c537856ec60153d58eb0f.exe
1864	reg.exe
1864	reg.exe
2096	0f1f60cbae8c537856ec60153d58eb0f.exe
2096	0f1f60cbae8c537856ec60153d58eb0f.exe
1908	0f1f60cbae8c537856ec60153d58eb0f.exe
1908	0f1f60cbae8c537856ec60153d58eb0f.exe
880	0f1f60cbae8c537856ec60153d58eb0f.exe
880	0f1f60cbae8c537856ec60153d58eb0f.exe
2652	reg.exe
2652	reg.exe
1680	0f1f60cbae8c537856ec60153d58eb0f.exe
1680	0f1f60cbae8c537856ec60153d58eb0f.exe
808	0f1f60cbae8c537856ec60153d58eb0f.exe
808	0f1f60cbae8c537856ec60153d58eb0f.exe
1380	0f1f60cbae8c537856ec60153d58eb0f.exe
1380	0f1f60cbae8c537856ec60153d58eb0f.exe
2040	conhost.exe
2040	conhost.exe
2644	0f1f60cbae8c537856ec60153d58eb0f.exe
2644	0f1f60cbae8c537856ec60153d58eb0f.exe
1872	0f1f60cbae8c537856ec60153d58eb0f.exe
1872	0f1f60cbae8c537856ec60153d58eb0f.exe
1528	0f1f60cbae8c537856ec60153d58eb0f.exe
1528	0f1f60cbae8c537856ec60153d58eb0f.exe
2828	conhost.exe
2828	conhost.exe
1388	0f1f60cbae8c537856ec60153d58eb0f.exe
1388	0f1f60cbae8c537856ec60153d58eb0f.exe
3068	0f1f60cbae8c537856ec60153d58eb0f.exe
3068	0f1f60cbae8c537856ec60153d58eb0f.exe
2860	reg.exe
2860	reg.exe
2484	0f1f60cbae8c537856ec60153d58eb0f.exe
2484	0f1f60cbae8c537856ec60153d58eb0f.exe
1400	cmd.exe
1400	cmd.exe
3060	conhost.exe
3060	conhost.exe
1576	conhost.exe
1576	conhost.exe
2444	reg.exe
2444	reg.exe
2928	conhost.exe
2928	conhost.exe
1020	cmd.exe
1020	cmd.exe
2968	conhost.exe
2968	conhost.exe
2864	conhost.exe
2864	conhost.exe
2712	conhost.exe
2712	conhost.exe
2892	reg.exe
2892	reg.exe
2808	cmd.exe
2808	cmd.exe
788	0f1f60cbae8c537856ec60153d58eb0f.exe
788	0f1f60cbae8c537856ec60153d58eb0f.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1336 wrote to memory of 2308	1336	0f1f60cbae8c537856ec60153d58eb0f.exe	28
PID 1336 wrote to memory of 2308	1336	0f1f60cbae8c537856ec60153d58eb0f.exe	28
PID 1336 wrote to memory of 2308	1336	0f1f60cbae8c537856ec60153d58eb0f.exe	28
PID 1336 wrote to memory of 2308	1336	0f1f60cbae8c537856ec60153d58eb0f.exe	28
PID 1336 wrote to memory of 1128	1336	0f1f60cbae8c537856ec60153d58eb0f.exe	29
PID 1336 wrote to memory of 1128	1336	0f1f60cbae8c537856ec60153d58eb0f.exe	29
PID 1336 wrote to memory of 1128	1336	0f1f60cbae8c537856ec60153d58eb0f.exe	29
PID 1336 wrote to memory of 1128	1336	0f1f60cbae8c537856ec60153d58eb0f.exe	29
PID 1336 wrote to memory of 2848	1336	0f1f60cbae8c537856ec60153d58eb0f.exe	987
PID 1336 wrote to memory of 2848	1336	0f1f60cbae8c537856ec60153d58eb0f.exe	987
PID 1336 wrote to memory of 2848	1336	0f1f60cbae8c537856ec60153d58eb0f.exe	987
PID 1336 wrote to memory of 2848	1336	0f1f60cbae8c537856ec60153d58eb0f.exe	987
PID 2848 wrote to memory of 2952	2848	cmd.exe	31
PID 2848 wrote to memory of 2952	2848	cmd.exe	31
PID 2848 wrote to memory of 2952	2848	cmd.exe	31
PID 2848 wrote to memory of 2952	2848	cmd.exe	31
PID 1336 wrote to memory of 2868	1336	0f1f60cbae8c537856ec60153d58eb0f.exe	32
PID 1336 wrote to memory of 2868	1336	0f1f60cbae8c537856ec60153d58eb0f.exe	32
PID 1336 wrote to memory of 2868	1336	0f1f60cbae8c537856ec60153d58eb0f.exe	32
PID 1336 wrote to memory of 2868	1336	0f1f60cbae8c537856ec60153d58eb0f.exe	32
PID 1336 wrote to memory of 2860	1336	0f1f60cbae8c537856ec60153d58eb0f.exe	985
PID 1336 wrote to memory of 2860	1336	0f1f60cbae8c537856ec60153d58eb0f.exe	985
PID 1336 wrote to memory of 2860	1336	0f1f60cbae8c537856ec60153d58eb0f.exe	985
PID 1336 wrote to memory of 2860	1336	0f1f60cbae8c537856ec60153d58eb0f.exe	985
PID 1336 wrote to memory of 2892	1336	0f1f60cbae8c537856ec60153d58eb0f.exe	983
PID 1336 wrote to memory of 2892	1336	0f1f60cbae8c537856ec60153d58eb0f.exe	983
PID 1336 wrote to memory of 2892	1336	0f1f60cbae8c537856ec60153d58eb0f.exe	983
PID 1336 wrote to memory of 2892	1336	0f1f60cbae8c537856ec60153d58eb0f.exe	983
PID 2952 wrote to memory of 2716	2952	0f1f60cbae8c537856ec60153d58eb0f.exe	980
PID 2952 wrote to memory of 2716	2952	0f1f60cbae8c537856ec60153d58eb0f.exe	980
PID 2952 wrote to memory of 2716	2952	0f1f60cbae8c537856ec60153d58eb0f.exe	980
PID 2952 wrote to memory of 2716	2952	0f1f60cbae8c537856ec60153d58eb0f.exe	980
PID 2716 wrote to memory of 2656	2716	cmd.exe	978
PID 2716 wrote to memory of 2656	2716	cmd.exe	978
PID 2716 wrote to memory of 2656	2716	cmd.exe	978
PID 2716 wrote to memory of 2656	2716	cmd.exe	978
PID 2952 wrote to memory of 2452	2952	0f1f60cbae8c537856ec60153d58eb0f.exe	977
PID 2952 wrote to memory of 2452	2952	0f1f60cbae8c537856ec60153d58eb0f.exe	977
PID 2952 wrote to memory of 2452	2952	0f1f60cbae8c537856ec60153d58eb0f.exe	977
PID 2952 wrote to memory of 2452	2952	0f1f60cbae8c537856ec60153d58eb0f.exe	977
PID 2952 wrote to memory of 2612	2952	0f1f60cbae8c537856ec60153d58eb0f.exe	976
PID 2952 wrote to memory of 2612	2952	0f1f60cbae8c537856ec60153d58eb0f.exe	976
PID 2952 wrote to memory of 2612	2952	0f1f60cbae8c537856ec60153d58eb0f.exe	976
PID 2952 wrote to memory of 2612	2952	0f1f60cbae8c537856ec60153d58eb0f.exe	976
PID 2952 wrote to memory of 1748	2952	0f1f60cbae8c537856ec60153d58eb0f.exe	974
PID 2952 wrote to memory of 1748	2952	0f1f60cbae8c537856ec60153d58eb0f.exe	974
PID 2952 wrote to memory of 1748	2952	0f1f60cbae8c537856ec60153d58eb0f.exe	974
PID 2952 wrote to memory of 1748	2952	0f1f60cbae8c537856ec60153d58eb0f.exe	974
PID 2952 wrote to memory of 2236	2952	0f1f60cbae8c537856ec60153d58eb0f.exe	529
PID 2952 wrote to memory of 2236	2952	0f1f60cbae8c537856ec60153d58eb0f.exe	529
PID 2952 wrote to memory of 2236	2952	0f1f60cbae8c537856ec60153d58eb0f.exe	529
PID 2952 wrote to memory of 2236	2952	0f1f60cbae8c537856ec60153d58eb0f.exe	529
PID 2236 wrote to memory of 2220	2236	reg.exe	63
PID 2236 wrote to memory of 2220	2236	reg.exe	63
PID 2236 wrote to memory of 2220	2236	reg.exe	63
PID 2236 wrote to memory of 2220	2236	reg.exe	63
PID 2656 wrote to memory of 1860	2656	0f1f60cbae8c537856ec60153d58eb0f.exe	970
PID 2656 wrote to memory of 1860	2656	0f1f60cbae8c537856ec60153d58eb0f.exe	970
PID 2656 wrote to memory of 1860	2656	0f1f60cbae8c537856ec60153d58eb0f.exe	970
PID 2656 wrote to memory of 1860	2656	0f1f60cbae8c537856ec60153d58eb0f.exe	970
PID 1860 wrote to memory of 1864	1860	cmd.exe	897
PID 1860 wrote to memory of 1864	1860	cmd.exe	897
PID 1860 wrote to memory of 1864	1860	cmd.exe	897
PID 1860 wrote to memory of 1864	1860	cmd.exe	897

System policy modification 1 TTPs 18 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	0f1f60cbae8c537856ec60153d58eb0f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	0f1f60cbae8c537856ec60153d58eb0f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0f1f60cbae8c537856ec60153d58eb0f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0f1f60cbae8c537856ec60153d58eb0f.exe

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
"C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1336
- C:\Users\Admin\DcwYIIEE\AmwkUEcU.exe
  "C:\Users\Admin\DcwYIIEE\AmwkUEcU.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  PID:2308
- C:\ProgramData\qkIEAokk\EEgkYAwM.exe
  "C:\ProgramData\qkIEAokk\EEgkYAwM.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1128
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2868
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\XmAkAMAU.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
  2⤵
  PID:2764
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies visibility of file extensions in Explorer
  - UAC bypass
  - Suspicious behavior: EnumeratesProcesses
  PID:2892
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  - Suspicious behavior: EnumeratesProcesses
  PID:2860
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
  2⤵
  - Modifies visibility of file extensions in Explorer
  - UAC bypass
  - Checks whether UAC is enabled
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2848

C:\ProgramData\pkAcYEAc\mwcoIAkQ.exe
C:\ProgramData\pkAcYEAc\mwcoIAkQ.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2688

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\okUYwoUg.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
  2⤵
  PID:2236
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2220
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:1748
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:2612
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2452
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Suspicious use of WriteProcessMemory
  PID:2716

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:1864
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:308

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1512

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:880
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\bqIAEogk.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
  2⤵
  PID:2776
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:2252
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2596
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - UAC bypass
  - Modifies registry key
  PID:2488
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
  2⤵
  PID:2732

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:2652

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2812

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:304
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
  2⤵
  PID:3008
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
    3⤵
    PID:324
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\PcMYIoQE.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
    3⤵
    PID:2296
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:2624
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:1748
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:2584

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:2040

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2756

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1324

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1884
- C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
  C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
  2⤵
  PID:1876

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:2828

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2256

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1220
- C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
  C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
  2⤵
  PID:2928
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:1488
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2228

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1020

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1988

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2044

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:2444
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hGgEYUws.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
  2⤵
  PID:2104
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1288
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1328
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1560
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2220

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1980

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1648
- C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
  C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
  2⤵
  PID:2808

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:1020
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
  2⤵
  PID:2148
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3044
  - - C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
      C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
      4⤵
      PID:2896
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
        5⤵
        
        PID:2584
      - C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
        
        C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
        6⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        7⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iSUcsoMk.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
        7⤵
        
        PID:776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        7⤵
        
        PID:344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        7⤵
        
        PID:1368
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LgAoQwEk.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
        5⤵
        
        PID:1864
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        
        PID:2624
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:2452
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies registry key
        
        PID:1856

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2484
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2940

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1732

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:2864
- C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
  C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
  2⤵
  PID:2620
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
    3⤵
    PID:2008
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZYEIkYoo.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
    3⤵
    PID:2808
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:2036
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:2928
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1244
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:1088

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2888

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2548

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:2892
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1260
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2692
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:3040

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3052

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:788
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\PakoscgQ.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
  2⤵
  PID:1792
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:2632
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:992
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:2224
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
  2⤵
  PID:1396

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1268

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:3004
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2488

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:2336
- C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
  C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
  2⤵
  PID:2720

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2512

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:2716

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1040

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:1144
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\EWQgkoMw.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
  2⤵
  PID:1528
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:1112
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2732
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:872
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
  2⤵
  PID:1756

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1524

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:1504
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
  2⤵
  PID:632
- - C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
    C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
    3⤵
    PID:2828
- C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
  C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
  2⤵
  PID:2616
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
    3⤵
    PID:3044
  - - C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
      C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
      4⤵
      PID:1092
    - - C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
        
        C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
        5⤵
        
        PID:324
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\boMQYEAM.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
    3⤵
    PID:2400
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\gWEQMggE.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
      4⤵
      PID:1984
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
      4⤵
      PID:2028
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        
        PID:2616
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:348
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        
        PID:2124
      - C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
        
        C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
        6⤵
        
        PID:2452
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
        5⤵
        
        PID:2884
      - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        6⤵
        
        PID:2896
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:1512
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:3024
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2848
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:2980

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2096

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1175617847-443799179-1979287327822986910-1790333215-17244129711914332837161048550"
1⤵
PID:1732

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2596

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:3036

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:1816
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
  2⤵
  PID:2084
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\TEMQQYcA.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
  2⤵
  PID:2884
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1764
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:804
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1820

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2152

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:2172
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\umQMsAsA.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
  2⤵
  PID:712
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:840
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2672
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2980
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
  2⤵
  PID:1092

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2504

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
1⤵
PID:2584
- C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
  C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
  2⤵
  PID:2020

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:3016

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1500

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2932

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2188

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1968
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:632

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\iYkMMoMw.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
1⤵
PID:1268
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1792
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2172

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:2044
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2892

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:2028
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\vcscoQgE.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
  2⤵
  PID:1332

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:832
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
  2⤵
  PID:1260
- - C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
    C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
    3⤵
    PID:1720

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2032

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:344
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
  2⤵
  PID:2012
- - C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
    C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
    3⤵
    PID:1516
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:1088
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:2876
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:2716
      - C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
        
        C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
        6⤵
        
        PID:2972
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:1584

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2772

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:3016

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:348

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:3068

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3024

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:1332
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:344

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2124

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1908
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1388

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:2400
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2480
- - C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
    C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
    3⤵
    PID:3008
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1628
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:2320
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
    3⤵
    PID:2224
  - - C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
      C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
      4⤵
      PID:1804
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:828

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
1⤵
PID:3032

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2888

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
1⤵
PID:1400
- C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
  C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
  2⤵
  PID:2432
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
    3⤵
    PID:2864

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:1352
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
  2⤵
  PID:312
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\TegAQYMg.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
  2⤵
  PID:1968
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:692
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2152
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2084

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:2296
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
  2⤵
  PID:1504
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tUoUQsoI.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
  2⤵
  PID:1708
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1608
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:1492
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2756

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2720

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1936

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
1⤵
PID:2012

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3024

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wyAYUAYw.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
1⤵
PID:2184

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:2528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1980

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\kEAcUUgw.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
1⤵
PID:2148

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:3016
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\NesEsgEc.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
  2⤵
  PID:1884
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:2692
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1088
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:776
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
  2⤵
  PID:2696

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:496

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KGEkokME.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
1⤵
PID:1332
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\pqQQIoss.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
  2⤵
  PID:1492
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:540
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3048
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2576
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
  2⤵
  PID:3044
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:784

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1120
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\xmAYQUAQ.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
  2⤵
  PID:1812
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:312
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2628
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1036
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
  2⤵
  PID:268

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:2020
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\ryQggUwU.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
  2⤵
  PID:2492
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1244
- - C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
    C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:808
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:304
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\bSQEIUIU.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
    3⤵
    PID:944
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:2492
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2248
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:2160
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2716
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\cCscMgwE.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
    3⤵
    PID:540
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    PID:900
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2192
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:2432
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:1220
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
    3⤵
    PID:1120
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
  2⤵
  PID:1884

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:1884

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2884
- C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
  C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
  2⤵
  PID:1812
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2880

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uwkEwoMY.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
1⤵
PID:1796

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1876
- C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
  C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
  2⤵
  PID:916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2856

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:3036
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\zCIgAwIY.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
  2⤵
  PID:1040
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:2032
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:1492
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2276
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
  2⤵
  PID:2336
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\NuUYcgcE.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
    3⤵
    PID:3032
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    - Suspicious behavior: EnumeratesProcesses
    PID:2652
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\ASoMosYc.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
      4⤵
      PID:2192
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      Modifies visibility of file extensions in Explorer
      UAC bypass
      PID:1560
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1440
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:1260
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2808
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:1680
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\mWgUUMck.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
      4⤵
      PID:1876
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:2572
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1860
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      Suspicious behavior: EnumeratesProcesses
      PID:1864
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DKcoIQkY.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1020
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        UAC bypass
        Modifies registry key
        
        PID:1268
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        Modifies registry key
        
        PID:2280
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2580
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
        5⤵
        
        PID:2272
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
      4⤵
      UAC bypass
      Checks whether UAC is enabled
      System policy modification
      PID:1244
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:1752
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
    3⤵
    PID:2600

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TmYkcEAI.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
1⤵
PID:944

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:312

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:2128

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
1⤵
PID:872

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "10362761581635013369-128172856-424920236-450117581-301632456-848668207-884425491"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2864
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\ukQcYwYk.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
  2⤵
  PID:1576
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\lWwYEIgQ.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
    3⤵
    PID:2844
  - - C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
      C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2644
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    - UAC bypass
    PID:3008
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:2584
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
    3⤵
    PID:1628
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2488
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2988
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1388
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\oiQQYUkI.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
    3⤵
    PID:1044
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:2896
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2748
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:1428
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
    3⤵
    PID:2728
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
  2⤵
  PID:112

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jsoUcsgs.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
1⤵
PID:828

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:1668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1500

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\iockYcMM.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
1⤵
PID:2876
- C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
  C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
  2⤵
  PID:2552

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1044
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:812

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2908

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
1⤵
PID:2480

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MsUMsYYE.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
1⤵
PID:2168

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:1812
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\ygIgsQgk.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
  2⤵
  PID:268
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2256
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:1804
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1964
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
  2⤵
  PID:3060
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\nMYkcosA.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
    3⤵
    PID:2724
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:3000
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - UAC bypass
    PID:2756
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies registry key
    PID:2172
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
    3⤵
    PID:3064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:2036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:1724

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
1⤵
PID:1876

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\kqocAEcA.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
1⤵
PID:2692

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1648

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:320

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:2480

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1396

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "181726323758480206-5796985461444676043-398819706-1424134380-589230354735891381"
1⤵
- Modifies visibility of file extensions in Explorer
PID:776

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "975097354-1491976079-365380497-19568380241089547424-1437496284765051430-1560278881"
1⤵
PID:2772

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HEkcQEwM.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
1⤵
PID:1908

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2584

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
1⤵
PID:1612

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2256

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-859464536579782890704060038-1900455371-875944324735810729333160538-2024493300"
1⤵
- Modifies visibility of file extensions in Explorer
PID:2908

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\IQkwEgoE.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
1⤵
PID:2732

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:1876
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\jeAgMIww.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
  2⤵
  PID:1540
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2560
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2848
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3008
- - C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
    C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
    3⤵
    PID:1156
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
  2⤵
  PID:1328

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:2848

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:1120

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
1⤵
PID:2492
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2028

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "511773611456307158-1000647674-1500244698-1868180037-1297516781670215569-487259910"
1⤵
PID:3016
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\kuoUgAIY.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
  2⤵
  PID:2916
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2096
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\VGwQwokk.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
    3⤵
    PID:1952
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:2328
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2152
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies registry key
    PID:2148
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
    3⤵
    PID:916
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1756
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:2184
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
  2⤵
  PID:1584

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2504

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
1⤵
PID:2124

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3048

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cGwAYogI.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
1⤵
PID:2556

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:2256

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
1⤵
PID:2716

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "9873278921286708774-30534051609173268-2089204245295159192-858746314146727431"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1724

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cCkkMsIY.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
1⤵
PID:324
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\wywkAwkE.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
  2⤵
  PID:2260
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Suspicious use of WriteProcessMemory
  PID:2236
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:1388
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:3068
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\YmEcggsY.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
    3⤵
    PID:2672
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    PID:828
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:2168
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies registry key
    PID:2496
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
    3⤵
    PID:2164
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
  2⤵
  PID:2624

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2296

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:1632

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
1⤵
PID:1708

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1984

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:2672

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1720

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1445860950-963589260-973571803022824691142943574-1518687641-1319272011412972480"
1⤵
PID:2556

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "957891210175926094927638572-143113809-122093412916651771514227942171994177882"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1036

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:344

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZWwAAgkU.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
1⤵
PID:1340

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:2848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2604

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:1632

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2469008141262733163-18693804471340866190434021299-2100636220415658142112905098"
1⤵
PID:1504
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\kmwkAcYA.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
  2⤵
  PID:1028
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1748
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2148
- - C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
    C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
    3⤵
    PID:2968
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2184

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\xoMoIAUI.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
1⤵
PID:1260

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1936

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2972
- C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
  C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
  2⤵
  PID:1400
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2920

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:2104
- C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
  C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
  2⤵
  PID:2808
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\BocsEsIg.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
    3⤵
    PID:2056
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    PID:2012
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:760
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies registry key
    PID:1988
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
    3⤵
    - UAC bypass
    - Checks whether UAC is enabled
    - System policy modification
    PID:1764
- - C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
    C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1680

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
1⤵
PID:2236

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2006289281-2113650041210623355-1593044372390602265-1600306207-5130814401631305293"
1⤵
PID:2696

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\AmgQIgwM.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
1⤵
PID:2484
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SqokMsYE.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
  2⤵
  PID:2328
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:1716
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1876
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2876
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
  2⤵
  PID:2972

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:2044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:1828

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
1⤵
PID:2876

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3040

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:804

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-165728397718721205291310762442-1706678341431666742751546145-14312892921484365179"
1⤵
PID:1088

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1235023791-1443139486716887420-54895253876549117891745991356876358-1284210649"
1⤵
PID:1612

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\eQAUAMQg.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
1⤵
PID:2400

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2260

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:1152

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
1⤵
PID:2632

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2025397708180113572548491133-23535773717225587281208130880-824684712-1782950145"
1⤵
- Modifies visibility of file extensions in Explorer
PID:2980

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1810481833562256832968946389-5893750141677619296-324426610-1415480535482890899"
1⤵
PID:2940

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:304

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PucccQQM.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
1⤵
PID:2892
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\OmgAowgQ.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
  2⤵
  PID:2928
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\vwcIooAE.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
    3⤵
    PID:1280
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:1860
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:2228
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
    3⤵
    PID:324
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:1800
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:2280
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:540
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
  2⤵
  - UAC bypass
  - Checks whether UAC is enabled
  - System policy modification
  PID:1648

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:2504

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:2300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2008

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
1⤵
PID:828

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2932

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jEUMwgkU.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
1⤵
PID:808

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1596

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:2356

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2840

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
1⤵
PID:2104

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1884

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1954984850-173069175672899225-191547339-548731687-12482285611729879086-2043791904"
1⤵
- UAC bypass
PID:2560

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "630508882-95849987-436140314-1784436081193646871902579751-12620453251583817657"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1152

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ymcQEsQI.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
1⤵
PID:3004
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FogsMUMI.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
  2⤵
  PID:2452
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:1652
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:352
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:604
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
  2⤵
  PID:2720

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2896

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
1⤵
PID:3000

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "39493503-935757414211809803653886033652242286-387940504362314788-300611191"
1⤵
PID:304

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "609286604-15717525651611725344-2034907-1804815099-2041354682-1233144697-1654059346"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1324

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-602671298-1159849604-1182107291-1050829450805121871966523351-19624135611721087784"
1⤵
PID:2888

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1570610925703906688-2019785459119173923216382998661259743290-8037891321907049180"
1⤵
PID:1720

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "700465507-490315742-1405474927288799960-1244370788-13634563913351684012030077984"
1⤵
- UAC bypass
PID:840

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1571854655-2123337663-214991984-1783169113-331015043-520858762-85793098-1135634105"
1⤵
PID:1816

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SUgMoAkE.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
1⤵
PID:1560

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "869585581336932895-2136719072266353088-499777940-2023783691-14916862101889853511"
1⤵
PID:1156

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:2300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1516

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-15292920891781814238-1556866650758851525-1414069172-1432745522-1777395649-1318990172"
1⤵
PID:1980

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:2504

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:2712

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1593718444-59812875-1764965555-393386723515529783423197959-1320234096-1739284006"
1⤵
- UAC bypass
PID:2804

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\miMcgcws.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
1⤵
PID:2664

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:1048

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:1908
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\JeccocAU.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
  2⤵
  PID:2548
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:2036
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies visibility of file extensions in Explorer
  - UAC bypass
  PID:1048
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  - Suspicious behavior: EnumeratesProcesses
  PID:2444
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
  2⤵
  PID:2248

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
1⤵
PID:2020

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OigosocY.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
1⤵
PID:1496

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:2240

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:1528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2296

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2124368095-640580708493226182-6177464991220120733-14209483781040238473-1686186248"
1⤵
PID:268

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-390729798-1657981326315114601905936610-1902439031-1474539741-1935588024-1891417763"
1⤵
PID:1512

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1347565908-116806961620182077958714835331106164051470446679-433003091-647829626"
1⤵
PID:2916

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-933668214-1647353279-51580771-1841761897-9136214721802994274183436056122839435"
1⤵
PID:2600

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-138406479-21028585931317015052-872477235148030171278462673110336614622086385468"
1⤵
- Modifies visibility of file extensions in Explorer
PID:2124

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1457261419-1981013522-2133405552-196697745-585504472-1965755743203912652088432426"
1⤵
PID:2400

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2608

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "331022656139678975-535419733-12427942621710975271770637008-15082891031474893592"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2040
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZqEQAUcg.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
  2⤵
  PID:2548
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2784
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:812
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2208
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2028
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
  2⤵
  PID:2844

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "463964355-223434841221147198-2002984991706514289-554948921128339722947321556"
1⤵
- Modifies visibility of file extensions in Explorer
PID:2160

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-35037371617420928503185454091767571436-562236296-1330234214394252781613872560"
1⤵
PID:3036

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:1576

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-7125689481154732653-243519042-1083699826198138219233556074613258227041792688123"
1⤵
- UAC bypass
PID:2256

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1923421120-1417310862934704126-951501800-6660054821695455221-893097109-1018880025"
1⤵
PID:320

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BCAAMQwg.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
1⤵
PID:2064

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1945113239-1644392509-2536675491528601666849839169-57130908-223432103-68145517"
1⤵
PID:2020

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:3004

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:1396

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-16799570043921661-14048928141564656482-1328159191881757781-1213421499-1736814787"
1⤵
- UAC bypass
PID:1812

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:2552

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:3060

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
1⤵
PID:1616

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-20047085471147645555-704745520-953592702351804386-885858558-115803130919626182"
1⤵
PID:832

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OqIocEkE.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
1⤵
PID:3028
- C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
  C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1872

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "195839373984640599-639369117-1861209889-724934451-2142949931-1870034857-954278893"
1⤵
- UAC bypass
PID:1936

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:1660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:2636

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2484

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
1⤵
PID:1684
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1560

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1824819173568589075-950104036-123181645047314920214102191209831142-355946006"
1⤵
PID:1524

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-241638904-7819367079355414416728327-1533415317-202597255518178085961425766743"
1⤵
- UAC bypass
PID:2492

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-335326347-442198238788946468-1758519270-2112751644-1076694367-381630070297534396"
1⤵
- Modifies visibility of file extensions in Explorer
PID:2932

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
PID:2860

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1557305259-17482580-1405165586192806042-7963956852214343231487451182114223617"
1⤵
PID:112

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
- Modifies visibility of file extensions in Explorer
- Suspicious behavior: EnumeratesProcesses
PID:3068

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XcMMQQYo.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
1⤵
PID:948

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "664699131-1864071620-504198447-37735491017503536681158634057-1162859856-915318263"
1⤵
PID:1708

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:1596

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1670765485-434900111131782147435322672-1371735650-1930007035-2023982599-804131689"
1⤵
PID:2064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- UAC bypass
PID:2044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1640

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:1388

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1377844482-2105372069-881779736-106140504010995681810824979715266598021793707745"
1⤵
PID:2988

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
1⤵
PID:380

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:764

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-584912058-1083008386-1685929033341300928-16441536851050468759-125962962149823301"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3060

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\bkAIQcYg.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
1⤵
PID:2120

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "431101603-446259084-821016994124992787-342908472-1103514583-1442782907-1697330333"
1⤵
- UAC bypass
PID:312

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:2188

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:1028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:1500

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
1⤵
PID:2332

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jSAwoAIE.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
1⤵
PID:3012

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:324

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1528

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
1⤵
PID:2156

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jMkMgwks.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
1⤵
PID:1684

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:1892

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2776
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:1828

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1307624841-735867836-149779413115855906821097472097-1186888256-7383433121596738576"
1⤵
- Modifies visibility of file extensions in Explorer
PID:2228

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
1⤵
PID:3028

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12830826742994489361254748376-1165711550435587446-1865113045-327156303-788464813"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2712

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1836832258-2129869260-90192859-5636637301055400562186423911-1578504906-1967906951"
1⤵
PID:3032

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-614605480-1237198468908968387-1137440878-963381610-3741617191606014859-786877690"
1⤵
PID:2672

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "574612292-1226264251238218674-2100326968-1644898064-14968487582119840052157607194"
1⤵
- UAC bypass
PID:3000

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YEEAYEMU.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
1⤵
PID:2528

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
- Modifies registry key
PID:1984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1576

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1048

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
1⤵
PID:2128

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\AGwEIkAc.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
1⤵
PID:632

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2296

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies visibility of file extensions in Explorer
PID:872

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2210579891705165990-1677560842073170611-444351463499606817358652951753963714"
1⤵
- UAC bypass
PID:1716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2292

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1380

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "115822374480093830116119510-1411911526639915601460824954967071898-324302842"
1⤵
PID:948

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
1⤵
PID:1556

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-766547810533331426799274740-5516384871275803225-25994441802100564-667323747"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2828

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-679327749-904412575825037891908423405-1855315428-14606692961044432369495646065"
1⤵
PID:1968

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2096804969-30445777416950004271081030834-20175442476821904728139233541276306958"
1⤵
PID:1092

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "9086476321099211692-7888126051257412761-17987770221941227730-674135941-18487682"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2968

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "460574040-3190673741911316697-1858993523-73905860-14245275691636843626-1893417948"
1⤵
PID:784

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2030665734996670329-184510234410142109991617267651775831273-12566742181952085472"
1⤵
PID:3024

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "17578914911735863732-161045237614850694501137537040-5223093617375374451532134980"
1⤵
- UAC bypass
PID:1288

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:2692

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-806513783-785635079931204471827680759-12516442701548732096-531711578-163514301"
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:2896

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:352

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-4019559691845351272-703691967-18206626282144537896-1847130294-1139157418873361673"
1⤵
- UAC bypass
PID:2616

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "661577781-18786513483127480132110357787-998170708-15409980105931061301646638490"
1⤵
PID:2164

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1446049984-11854171505694253792026854554956029178-435332349-2107929978788966785"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1576

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-19709578361091976287-1774204424-1652765641985175072-2050519764-1409400758677865454"
1⤵
PID:2336

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2084

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1630085432646468322-1329234552760411334-747435520-1816818093580892141554171807"
1⤵
- UAC bypass
PID:1396

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1846959880855770379-559367418-1052289914524859527205290422412514321751293514064"
1⤵
PID:1540

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "33281290420560712562134416170-1940030610-1733260517-20721981320102762051344554653"
1⤵
PID:2120

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
- Modifies visibility of file extensions in Explorer
- Suspicious behavior: EnumeratesProcesses
PID:1908

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "26540590114542102521177767609-13653917231600849931779248858577075323-1867160805"
1⤵
PID:1488

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-832583362-380048245-705406631-7707625171531559285-998972818-756427007245157587"
1⤵
PID:1792

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1325042115-1917032063-127227497019713628581717884334-125270003-1081819008-982587716"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1964

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-25883608-1435385246-1803064954-48471673105079252667085717789433915590491216"
1⤵
- Modifies visibility of file extensions in Explorer
PID:2008

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:2096

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2485298971848479453-15509158982882395411100489349-1400437178-7042324871754455974"
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:2296

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XGwUEAAc.bat" "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe""
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1400

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1003618567-772081151-1859684479-844707700-15681043814427891899709275201074699508"
1⤵
PID:1516

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "17030062601864933451386878386-434235158-2678217771836665161-1893873036-131418134"
1⤵
- UAC bypass
- Suspicious behavior: EnumeratesProcesses
PID:2928

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:2216

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "269369583-110885532-17338454012020918973-20853277241949622482991300551362106966"
1⤵
PID:2884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1704

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:1684

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1221292124480862251-1832146495-5042018401694864973264637011-783525830-1654999546"
1⤵
- UAC bypass
PID:2572

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1860

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "9337908431821906038-1834786839147490744515363274561255042733-2118019916-151026628"
1⤵
PID:2512

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "11822812711116609742-824607515-18634778681300133225-217134603-2701291591098770520"
1⤵
- UAC bypass
PID:812

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "854387341451334117-16376371471100583890-15276477541406249837-2122316238943227167"
1⤵
PID:3048

C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f.exe
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2656

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "198637955916723054191288809717350864792-5592668-313221079100260197573814086"
1⤵
PID:3040

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1924927958-1963560606-88489508719192998732114366482-18611582288003027739841981"
1⤵
PID:2732

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-15446791341386646939-12991369981016914671906795920-147326610742658970-2106528116"
1⤵
- UAC bypass
PID:2624

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1849220995-741491925-2088732333818238515839156235899275881-490525552688656291"
1⤵
- Modifies visibility of file extensions in Explorer
PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.exe

Filesize
455KB

MD5
41e229fec55c052d2a225be8c1798192

SHA1
4430337770813b21f6b055efd12b1193c1e17f83

SHA256
66c081eca7053baf5d234fc866787fcd7da00337605a3d5b95314609a6b211b2

SHA512
54439012b079af37630bddc32788727be31c69c761f8c1a2405aa4e897e9d5ada574f74c804e8bc4be9c7a8bbe0acc874215d94a82d1f9dbdcd6cbe971b6e8b9

Download Submit
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

Filesize
202KB

MD5
ff0b0d2706a05da89cc5645bfab2b37d

SHA1
e634113809b9f1468f0eeba5b1487fa9d318697b

SHA256
145ab7bcbdf49e2c35ffff2f6bed4a867803aa3075b4ab9cf418a58e4833fbf7

SHA512
f656968157c3c70d6cce373eb41b0b9975f09828954d43f3c37eebfa489f872e8fd681b7550aaae72f7b3fd6e2cebfc0603d7ca5feee4fb13b901b6e55282b81

Download Submit
C:\ProgramData\pkAcYEAc\mwcoIAkQ.exe

Filesize
93KB

MD5
952728899458ae29efe7287c8f7bb9aa

SHA1
a14023f4e61d50e19a01faa9d9ddbc77d25f083e

SHA256
6c2eddfdf18c3a0ae9ad773a21607ba059d0bda107c1430227d55dd3858ffd7f

SHA512
ef682f71d5b2f265dd3481f1a05664015b46da7c1771494b46969a79672a49e084c6d3fbce7ff6f15f2dea0da8c121ae8ab992624b1a8d6783e7b4056925157d

Download Submit
C:\ProgramData\qkIEAokk\EEgkYAwM.exe

Filesize
93KB

MD5
b49152dfb309a8c6b0bfdf286ff2a060

SHA1
feb9fcf94423b2375bf2ae49f78fea05a2b49cd5

SHA256
8f85bb3937fe45526008560307b7b63724cc3feaec3ddd6b72c6db621fd827c7

SHA512
b913d197bad08bfa003990a16be4106a2a80c9962449c272dcf9de9abd13406fdfe782cd4606b627425513d7125250a8b950248296f4e8a70daeb89db44d38a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\0f1f60cbae8c537856ec60153d58eb0f

Filesize
48KB

MD5
b0de08b6aada24cdd3458113d175f1a7

SHA1
225797b52f320b3efb2643c55fe55ab3a5618ae9

SHA256
40015814487b93a8372f33284d45586739a4a1e9d2b7961ab8c6d4d9561d10cb

SHA512
fd59488e0223f49d66bb3ca7a70e74b7ca2052769f78790aee0682e0306f6e9421d28ab9a34487bd8934571cccb6798c98040b25934dfe1f0a13c7ca490ecbe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\AYAG.exe

Filesize
194KB

MD5
034d7e1c111be58ed1140d1d4f39bb41

SHA1
2cf9e1435c1a03b25a56b981edc983aa714f0ca9

SHA256
fc39f9230bbb0913a2eff02383c899fee937123cf5598d881840f06dd9e71e08

SHA512
c816f9e045f49c9fbc1125713ceb3a8b75e60c81e9cfab03c5d0c166d31ca63a88f5ffe3a4d32c826f8d9d3749fed37ed9ac88d4f928647f595662c2808774f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\AYEU.exe

Filesize
28KB

MD5
7fe1281641be8f623b450a83c46f726e

SHA1
61c1a494da86c38a6a0ef68f7063bd6ed0465267

SHA256
1c09185d27a00a5cb16ea237b852ca9817343c22a925d0c5614e0d902bc7a6d6

SHA512
e3cdf7e3ec3154922b5999819e8199da6f4dae39ce97873b9f37668213cbcca26e0d369520a10b84f3706d886fb67705ed42194e86ea82f35ff81e35b64c5a70

Download Submit
C:\Users\Admin\AppData\Local\Temp\AsoG.exe

Filesize
45KB

MD5
ab9e49527ec4d1ffe57d70b706f64957

SHA1
9c29465b35ba08bb1787df0537cb0ff38043533a

SHA256
5e7ce0073f28f98d7dac06e7897d7d6d809ae3399c09e73c2cda5fb6d9cb76e4

SHA512
d05db0ccec916fe61551b6a1d06bdba16986ab5f5355a29c7aa2895b76ca16e803fae55d92eceb3d28095803dfaeb1ae5c00c23cfe031b35fe89c81704a315df

Download Submit
C:\Users\Admin\AppData\Local\Temp\BccIYggc.bat

Filesize
4B

MD5
c1e0429e050604101e84b353f90083a4

SHA1
7ebd5f8b76f585d0828bf56223a65e54ff215535

SHA256
28e5eb1f6b4311a3634dee51e57ff2fbd57829023f0a4b062c00b6f3184dbb9e

SHA512
967d78c6feb91901036e589cbf05816e92ed4379ca79fb839d18e67687f8ee29d0eb87f12477509d6dfb0d54d56b8a0b34241014bd9624c7ae2a1dbcbb902991

Download Submit
C:\Users\Admin\AppData\Local\Temp\BqMEgwcQ.bat

Filesize
4B

MD5
59ca597a7687eb39aaed51ffa3eb4f76

SHA1
05500a21b65b8bddbcbd679401d04d106554ab39

SHA256
d63b8e78bf582695fc856db9268f2d9acc004ee13d0562d9a3e6952a82acd46f

SHA512
e00cc6e6cb1afa0e65d5861f035290bef93b32349633d4917279c0ee81f6e8640ba6b1ac8985843766f42ec3e3beb4c410f2865122eec51fa69e60001749f6b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIMo.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMEa.exe

Filesize
35KB

MD5
cfb5a8b2dab8753842ca6983de51f826

SHA1
9c163af907d21157c6d04096e0b4b5c1179c9c5d

SHA256
21bd3daf1c6bdd0c115e642f95777e47e9edea8a80ddfa47e676239c2b24d1c1

SHA512
bb51835d5ee85a7421d6e18e44757b4439945ab3312b5bf256248dfaa0e926424a974126b1e1d4a995d471aaeafb7cffe1eaded585c5172891055febff0cde97

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMIgIocc.bat

Filesize
4B

MD5
34eb37ad13c85fbccdb43db6f49f54df

SHA1
8c6ac2ad0510fae9ad65e61bc5d730177bc4321b

SHA256
5f3e259acde3fda5e20b7fdc9c7e687f8225ef21b82c767b2a0009db46891bd7

SHA512
db6e1098ef4bd0c365476aa4194fd0169f0ec49c2086d915f24e63f19525698ce9be29a7c62d70a60c4171ac58cf4cde61c31dedd6b915bf43e041d0d3cdd45e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUYAEIwM.bat

Filesize
4B

MD5
904d096a6540c95acffd4498a06d6173

SHA1
78dd9dcb6e2b1076afc102d5f33b634dba9ec622

SHA256
5b6b4d5fce98275a7446fefded238e007d07e4c0d1c17f0e16f4e64c8df5040d

SHA512
43adc9d1988f4958064837a72d12d2e7788b90df149086cbf1a7f729040cb53c9488298861e631776203837aff34ed4092fccb2f80fc5996079633873ef6b6aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\CkgE.exe

Filesize
589KB

MD5
b05cd8dd064648f5586db3800920f68a

SHA1
845eac84b19fdd92f2a881015c7fd070074fbab8

SHA256
4d10b63303e8c86c39afaffa4753f08fb622beb2cc5677028fb7a26e0884ed0b

SHA512
7610a33224e663c1c9658cfc164e8b2c7af2dbaa29ecde3558106a87fbb254ff451feada1f9824a3001a81166a492dfe96e8c09dcb45f11d2f6e0b795e331d4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DOMwwkgI.bat

Filesize
4B

MD5
3d6f2495b768b590f57599c02fe82f6c

SHA1
ae4c719396422af6f4d4f8d967139dc3fa8aef92

SHA256
e3b84b4ec1504f2323f720628dd2b8c5dd16be2756d712e46917bf1556b73a7a

SHA512
9a4ee2e5da5fa86b565b8e685d11b7a4139c96702d6aa7c383d325617270dd725be3393e1a7f5a2bdda817e4321c3078296afe3b9b766507f10563950a792142

Download Submit
C:\Users\Admin\AppData\Local\Temp\DaEYAIUw.bat

Filesize
4B

MD5
e8199cd7dd382712f9441dbf18e84e28

SHA1
48ee0187682e1edabc2606a9d06695cff7562e44

SHA256
8ce0b1533b16fbd278ff7b721a61c09c7a0a52951c470603571b962362a9fd0d

SHA512
8b9fc989171594a4dcc56615326de2fdc7be236d0cde0a28fe3ded633bfec427f79a91b8aff9fd8b32703f2280dd4bdbb688db5cddc5816f7e9468c855e63c2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUwIQcwg.bat

Filesize
4B

MD5
923fd3453826aa79165e2250909225cd

SHA1
9bd60feb5f31c6595b30db4e39e953287a6638ab

SHA256
ba677cb4da903fd10d7d713b14f18ec1dc8a14b403ad99925fe02a0267b540e9

SHA512
678c142ea68fef81fb07faeef615fb4ab80aaa1355e416ddab15769e1eded3ad2cf7811b2e705e9bc60f576733a97d0aa7c30dc5f4934053589f8f38b7f12129

Download Submit
C:\Users\Admin\AppData\Local\Temp\EiQssIsU.bat

Filesize
4B

MD5
355dbd7259c816dfdac82f0cfb9dd5f2

SHA1
9170a74fcf45c80b817101fe78ca7c7e35d7cba2

SHA256
2f56313304eeed325e27fc1e0e3f7e2672b261418c7abbb4d4f559e01f68b25f

SHA512
4ce846c3e87562a9b3743ccc00982b5d0f0697f61c404ac491eeca4025518972b92988e69753a67d5d60f9ade0ea66b9e99ceea310864597936f1bc999e434c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\FwEcgosY.bat

Filesize
4B

MD5
a2edcd724255d6fa598ba20807c0d3f3

SHA1
16a16cd8d27833055273c37dd906cab76fb5e8c2

SHA256
f253b3c301a168f9d973d444c69892ab654c7767279104cb8e9fed4dbaec2c46

SHA512
21af73ea80784011df86b6eb1c4584ed62a0e9114ad6b550928eb33f602485ec3d957de05780e792469af980cd7fec4924308c2cd704fd8060658aed2a647d2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GAsA.exe

Filesize
772KB

MD5
728c1bab00c8a2fb2058845d238982af

SHA1
ee046e68a8369f93fa85ef97806771794b02498a

SHA256
24309cdf86243ce0fd43ce985cc4f1dac5a5c1e9143557e8577046e73fedc7c4

SHA512
6ae08d2ae2cb242ca195ad8928a7b6457284b6b1022258212a8ab6ffc557e47aec291ebc3d2228b9255792db2ed8d673e19d90d79cf8eb89b2c23f7960260d86

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gscg.exe

Filesize
390KB

MD5
74a1a65e26be0812b55916ce04022b86

SHA1
1de65fab414e5fe05f77738139069257dab97ac6

SHA256
512374ac13afbfa9ca1be5d9b822d291f96170fc960a95a38c0e5b054232d76d

SHA512
82d7c328af605861cbd0d3bfe6ae5be316df71b55a89884ceb646f8ec78ed55750822a8e0cdb9a636f0ce523aac73109625b3d033e09720930e8be8272cef787

Download Submit
C:\Users\Admin\AppData\Local\Temp\HQoMIgcg.bat

Filesize
4B

MD5
b5baed1847f15dcbe433261c78217028

SHA1
9895ab74ad84c3e425330d8bdd29bee1d202b4e4

SHA256
5cfbd592802b0f91210bb42d075c491038cdad545de846f186b768cb74cdc44b

SHA512
29b180d36b89df81c0f4d2e85e69980ca32c5888c921d4515c346226230eea92343b1b249eaeaabe019584ad022058a7162b375168c79549e1373bb98087b809

Download Submit
C:\Users\Admin\AppData\Local\Temp\HmAEskoc.bat

Filesize
4B

MD5
6d0ac23ba4bca37c3cb8ac09fc5a4bee

SHA1
8cef05991520d2710ec35f018a949c0b001b4e31

SHA256
0d1e0961d570fc55eed141a6916df0c19e649b9d090acb9b59782c90fbe6e7ce

SHA512
3d493155bf4a03a1eb82079fbb9af588d88f70651cf6046e0c19173df546c6d5e3655154c21ceb8830d5ede73ee02fda095296f0ebd9363895d57b5e4857a5f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IAgc.ico

Filesize
4KB

MD5
f461866875e8a7fc5c0e5bcdb48c67f6

SHA1
c6831938e249f1edaa968321f00141e6d791ca56

SHA256
0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7

SHA512
d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIoUQwsI.bat

Filesize
4B

MD5
ee26c9516795e6924d10df33ab625f88

SHA1
1bfc641f46ab5752f9cfe1c07c7b28ecffdd14dc

SHA256
f2687a3138fa554b94f48cf657e5bc51a305f65e7029bea08bbef586bdc145ae

SHA512
39905d97790e6419f988f49a0758647c4efd76038f6e2593d369bc384c01b58593a40be7eea0aedbf98443d4ea1d4a31ea18db5bec4f64fd9889aa327f40e9e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMEw.exe

Filesize
770KB

MD5
b65a06d2368160843db6adb274715067

SHA1
3ad9d35d9ae3c634d488f8e12144318a63760b3b

SHA256
13527b28d41bf89a169d38be4a27b78f0cc7961dc68ddc54f40edd0ca29fccc7

SHA512
5ec2127fd00c3866e1d38026905715e66dbdfe510e5532c69ba988443f5798f588a8293efe1c21aed77f7eb799b119e9b971b89a985c0ec5984a5620c2b7f3a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IOIEgcUM.bat

Filesize
4B

MD5
566e0580ffee68bf5ac73c18856af51c

SHA1
4c63f8435fd7e242a46037b887b35091c93d9000

SHA256
3e31784b82babc537e3df8feefa7d3d5e0a018fc9dcc05be9404ee7e8e831bc2

SHA512
416b449d2b0b1e61716a712ba2663e88e70779e3eadbda827f06d011d635f87438f2e841659da6ae74b943f99b977b8f2d7fa2d9aa1647dd03421f3b944b54d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYcO.exe

Filesize
40KB

MD5
32f5e4efa3eef255679cd35cd01b4642

SHA1
f767560d21a6b0ad9a0cf71f3c70ddf994bc4d19

SHA256
c9914a24d0c7a62d4404f8931d0ae53bdcc1ba9c928e43695aaf24a3dc6386b8

SHA512
dc16d2905fda36e0aac6ed96beed67308e8596e6ff70d030acc10089e2f4802809a6783b334bfdf2e201aeaf5b968551f49b6345467babbdef231d16a9154885

Download Submit
C:\Users\Admin\AppData\Local\Temp\ImEQgwUg.bat

Filesize
4B

MD5
a85cbe254837d7fee7ff95a300d5ca7b

SHA1
c5e0d2c97d870adf13272d0d05e47439eb7b0dab

SHA256
c864e9182055c11d1fa1d532bc35041e65a66f779f6913ee45bcf8cdd9c9a1ff

SHA512
2b3f12dded5fb9e76d628d24d8a001f59ba655f2f34f29598a3a70e655398e3469cbf2b97f8e258fbd50a1834dbfe5259c6a7f8f8444754641b96c434f74d2d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IoUY.ico

Filesize
4KB

MD5
8e03abdaa3016247fdd755b7130384bc

SHA1
08dd2d9541e1961b06957fe9a19ce83aeff51a5d

SHA256
42b58cb0928fd8fa0e0bfb129fae9cfc3b7d3230c2c9c367f0a17c4d0039aef8

SHA512
e282ec1c768aee026682d4c6a8e71d643ac4d7dcfec027536944c658d71b7c484aab2da6990c324d9677d032a86c1015020efcd92c9923dcc21e4e5ce5b0e26f

Download Submit
C:\Users\Admin\AppData\Local\Temp\JeYswQYk.bat

Filesize
4B

MD5
cb2674c21965329f853fdeda1df5d22b

SHA1
901259de042a29e85e3a8826e16e5bd80b30fbc7

SHA256
174b6226011cc785fc97875a87019863314b954b2a0f63403bb7b7d1520b87aa

SHA512
c152b1e6285a4d871a3fcc1ca78ebe1eb8f3aff573d54dfdfac4877b0c005e2dc4565e40127555b1bfefac3b5a025730d40547f2081df133d3bd613ac63fffdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAUU.exe

Filesize
309KB

MD5
4c0625f4f29c005071674b485f402c6e

SHA1
dff1e5087e657309c8e7fef9f31921e7e201a80d

SHA256
f48cb80e736cae1dba85b838e1d9a21da8214aab8f115a90f9c4748287d190e5

SHA512
0db7d777b32951fbc16ba0d09b2d9b00950eeb07a0d6edda37468f7ebdc44414bf5bd0dd0a9459c1100aa35d3d26e09842f217eab14acb191765d7dba1a35662

Download Submit
C:\Users\Admin\AppData\Local\Temp\KGwsEQYg.bat

Filesize
4B

MD5
3c1e2c399db3da1f0ef59692a18ff7ab

SHA1
848f3288288cecb1a3fd76bcc66e911d51d198f6

SHA256
c30d6e6fc2d4f132b43ed79feb147da9cf172ce751ff19b8dc4347893c3e0e97

SHA512
8a0d948ac38ca56afda015772ce58f5e52f832b71ac1b89e2b8f8da512567c182d67a20d39a7661d7095921b24461a43a7c42f875b8dcfd055e24de24b14b1ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\KgkUsgIw.bat

Filesize
4B

MD5
d6c356800b3087f0ed260e414eade4b8

SHA1
cd6521f1dbf74c7d784ec3db9c25bc842bec8fa3

SHA256
bf032c7f38c2a0da4c90c8a6671b57e7c9945208373b1088ec3354ea67ca3b5e

SHA512
a6154a4b49cf19afc54eee0df843cbcb56c33ce80b11f5a8c4c2e19136ac932b9f13381ae92eddca7f5da93a22afe790db8476b2c13dac802e83e2c70d4d8d49

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ksku.exe

Filesize
330KB

MD5
32888501b91e1d89d7cfe0e9f5d9ab34

SHA1
7ca20858e98e5aecb4d7d68adabfa3835bcbc31e

SHA256
512145d22c7ec6f13639573c1c52bd9deeabdac418128729a11b19fa01d5ddde

SHA512
967d012f8e4420d791bf9e552697ac9c8e97f01e31b12c09de2e1c4342b73fa31c21e99e909eb5e8e07753627c3b3151d09fb02fa4774869cbdb1cd2b398a8fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\KuYQwgkI.bat

Filesize
4B

MD5
3535c2fc69f4690b5d9819a46cd93e62

SHA1
e9cf663653383a3a802279051d676dcc901ebadf

SHA256
68bda39a1f3283654639bdb0422334c04340825cc905bde10d16d86879af6d7f

SHA512
9c8f577942f1addf5aa32b34bacffead812c79b7f2ee559b3c8c94cfd429a085639ce3103b9aead46a4467b9a0285678b03866eafc3f9b2b5976de20a6789b6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\LaEgIEwQ.bat

Filesize
4B

MD5
813042bbbc8a8000c2970d1ba82f974a

SHA1
204d279c24a1b21908077a151ab38ba85923be3c

SHA256
48e0a3e3608675b5b625c71f9af2acb04a65ff5f14db4cf4e824d3f06480bfb4

SHA512
2910b068d7760b05a1b7d86f2a7d476e6ccf70e00ef41d4f3c50324c4b482fc8173f79cc790125b43902b741c8dbd8cc30a86a0fa35c5d0357297f4a66eeb1ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\LoooYYYY.bat

Filesize
4B

MD5
80515796484698bd96eb68345edb9279

SHA1
347540b44a447b1272455c3c68c6af40c2f0c6be

SHA256
65b17661432caaa28667ddfeb46e5f2cf56bfbd9ee1a6cdaa53c87f595adfcf1

SHA512
4c5766c16b74298b0082de6c234c19be44e478dab74197cdcf1cd7d35a468e3bdceacc924aca23499583e848dcd9b65fff5c137f54346ce9c37b2bba0eff814c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIgccwwc.bat

Filesize
4B

MD5
c840bd986da8993a949fa1ff9d011b80

SHA1
dbbb2996f34d6d66ecc8a6b2d347d681d2cba7ec

SHA256
ce135dd39f520e5c190ad875f7162015e544a291d7deea216b6ea00ea33e2413

SHA512
193aad6d83b18c0fa455a1c7eaafaf2c2c9fe50059cbb92cf625bdc22400d63cc09a0aab39a585e8d92959e4064fe1e94173eec43badf609d864ae8be337f85f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYYI.exe

Filesize
198KB

MD5
a964d3198be199a5e8bbe2c26340046d

SHA1
12b4428509a2853b164cf00ef40274e8a50193d0

SHA256
acf0f3d7fa02483ff8db00281191eab8792c1f7b9ba6307561ce8126d4815a81

SHA512
422cecf53ed53e1c3c12f8c945f941eea795bb21c312cc9c4cd75f689a340f0ff0ce29f87c71013da39dd317a47926a4e1f4c081dd79e6718a93eebf91d1e75d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYgS.exe

Filesize
1.4MB

MD5
33d379a78dd607cdefd75e7aa779ca44

SHA1
0874e16fb8c2b8daaf9472e6ce7a34a3bb42962d

SHA256
00e8a18afdbd9d0a5b93e01a371746dba1d4f29eaf32c3ddcd588f6780b9fb3e

SHA512
96868f64993e23c8b347d95a1d3d861b5076f96e1002b5b969b48bb3bf4241f2a3a7477fb85d7bc1ab988b339763095ef4261cc000ba0ba9b61c3261465d4990

Download Submit
C:\Users\Admin\AppData\Local\Temp\MewAIMoY.bat

Filesize
4B

MD5
e90befc0a5c3d2403e1d1080d430fdb3

SHA1
21ac0d31b7cb3c683e0b6f827a162e6c9b4f912a

SHA256
df20828358c4bfb742b6485ebea2cee355bbbcb9f64e9ae6fc36b3894acc3956

SHA512
ea33dcfc68fd8ff96a90b5caf551f9afaa6c1ab4518bf73e7d2190932c552bfff9bc6f9d03c6aaa0f817338ad97be98187fe0be91a743899c7729ee48be5b055

Download Submit
C:\Users\Admin\AppData\Local\Temp\OIIQ.exe

Filesize
66KB

MD5
2ced34e0108e4f9a8bb632c2158df11e

SHA1
e541b7e3cd26654e0756d6348ed23093557bc4b8

SHA256
13c88995f29010bf7b93965da413999e77615840bf951060976370f27354d49d

SHA512
de68835f3ac306ecfb8a6f1a4a4517a4bd35ca1fa48929cdb2e7cd3b4ccfe5b42d7645d274d76607a0452f863f38a260b2ed35dcb6fa36e197c1ebe8817c5d98

Download Submit
C:\Users\Admin\AppData\Local\Temp\OIQQowoY.bat

Filesize
4B

MD5
5e13e6a2ded017b1af392dd24731ce30

SHA1
290df78bd4cf61e0bb18cdce130a7f36667a71ee

SHA256
ed6e198ec86ee26a8dba116aa4fc727684737096350298a6e19525c40dce152e

SHA512
3020c5c69f048ff87ea76a0f8ab00c80eea6fad919156f38b1c28bbb99ac965b863ad47385b382989bc1eb8997cceefbffae456080900eb742f0617fe5b6cee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\OMAUgwsY.bat

Filesize
4B

MD5
68f44b98d1ca6fb3356b79f94f5eafc0

SHA1
1d2b542a7d8ab0328062faa3b9d5c56b7cbdf381

SHA256
d1d1344cb404bc231f45676c64a384bc80a74b2e393b48576a6fbd3273207b9e

SHA512
990ce4ae34f642054e8d276399fff0bdd80d8d9581e9a0e8113cb41affcec6fd30237b1f0e1823dafb284147b974473b11b0f13fb740aba9411233278517eeb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUUY.exe

Filesize
1.3MB

MD5
b8273041cd0b9b26eec59bce342a3edc

SHA1
f68b5423210da0d4078060a8763722d04349185a

SHA256
e5d1248572de151989d71ef91cf31dd9df50c660e3ed1fe70df3c42c2c398b36

SHA512
29c6278e9fcb227194366dbd65f16277ce5acd1d6a826acc59b904d86077d733442296879782b839b1481f82415b933effc656ad4d6189d80dd3b5885a9e9483

Download Submit
C:\Users\Admin\AppData\Local\Temp\OcUE.exe

Filesize
445KB

MD5
00f7c0cc9f2c99860457c6189acded7e

SHA1
f55b7d16c7bbd483d6e6e97dfa331b8c3f95f2ba

SHA256
358513f03d84b3afd4d424268f7af6fc8716c6ca24cc52e2b3ee97835a5de2d1

SHA512
6bd319aa3f980cde6a66adee5694f86e91b1d42b8c378b2f308eacd2e54016beea857f2b704d881b417da162619f29b1febd910dcddc44940c775c433fa0065c

Download Submit
C:\Users\Admin\AppData\Local\Temp\OkIw.exe

Filesize
430KB

MD5
c5ed23addb5c1cab7c5f6da2f502870c

SHA1
8b0ba795720ff3460a6c86e79a462c3014734573

SHA256
46bad6db1310cc53430e65d73e7f43a60c2654a4da0bfc03d7179e9e0c62b7d9

SHA512
40900feec527ba9c6a903fd9037d8230cefc240a87f03c0fc1ea34b2e6bef3adb8f512030b5bfec38b1e602405f43ff7f2a8f8c538a0a8feb52e919c977a31b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\OsEE.exe

Filesize
780KB

MD5
f04b702fb0457ed8569d0337cceaf732

SHA1
4065885aea5fdfe2a5e99b4bb61d6a5c55d2eb3b

SHA256
e8434cb9db0f09762783e3f085bc0565d6790bc577805c9e1584b234c0175160

SHA512
3f541cd075685d84064763bcf731cbda1b41ebdef2ac469955df31c67a8608f2bf246ae7a52e7d7707adff125bde88e08a72c7e0a47e8309eb6e95fb98456125

Download Submit
C:\Users\Admin\AppData\Local\Temp\OsIa.exe

Filesize
832KB

MD5
550dc83a67f48245b5ea030aab96883a

SHA1
639eb13f70053d4846f4e918fd6938c4de401d75

SHA256
92b4a623eff0fb5af21ceb72758b29bc4d100857c6ce021d9a7f81d106369c4f

SHA512
f0a3c5c1bbf5c671fc377fd29255c1127b0d746c01577c8c159f5ee500c2b2c6b5ae076f8d64fc879d6a219fb5440f42ff6770beb3bd4b60341abf1d878ef25b

Download Submit
C:\Users\Admin\AppData\Local\Temp\QEckokUU.bat

Filesize
4B

MD5
17697b88b8c7d18841c78fade8fd4d1f

SHA1
99c8945770503f5b7992407a02fd3c295b394175

SHA256
cd07a0ad06a015136aa0eaff7911b656ee4ef6985039b8b933c0d00aaac87a1c

SHA512
6a62f5cdd61709c875afed0840edc07f977e72c8f2d9359bb35a42d2695e5f0c2e78adfa4f6d001335de677bbd5cd50a17c45aeaa7babbcb077ee2b3f4b7a263

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIIa.exe

Filesize
605KB

MD5
788fcf25341bc8810142dd46b1064d43

SHA1
138320addfadc31963698540680d41451471ca0d

SHA256
0a411b26c5129dada53ad678aa8671772b4d3bbfbbcd8b895c3c506fe9c7a3ec

SHA512
4a7a2f6ddcf6bf6e2b56e5e2862e719e98dff49c6fcd385ff19b40ea757ff658f2b824d9c58b7ff2efb6cff5b06c31d478ee5f091ff5534a4913a1548eb39b22

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIUG.exe

Filesize
480KB

MD5
0814775190c4395506fb08de3d94c92f

SHA1
ce487ba8cbd3544d9e412874aebb7bb57ff89b4c

SHA256
59e581b4243e0bea191e083eb31aa6665b2b162f0bac9fc1e76b06a08c666341

SHA512
40e6106be584abb8b7d9429519fec7eb04d7fb99aaafd52a8361e0e9ea50732a9e96e37439c115839260c37ef3497f484adb2ee2dfabcc45059cc0677782afa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\QMQy.exe

Filesize
139KB

MD5
29b764ac33ac6d46feada5c12c839ebc

SHA1
8a964e7f2a37921ef136d69b7520e3de58bd6518

SHA256
9933f1d152d1f7eb4fae0668763203fa4c5f05ea4efef92c6f8d0b71c9f4dc13

SHA512
1c5fe8b42f7c02370ef003dd69beb6fff757a5c659ca4f37d2480569556e697cf4c3eb45301515926683b58e555eb01eb3814a7782929f3c794795135757e4f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\QMsW.exe

Filesize
756KB

MD5
f8129d0acebdc60dc146d4f03f5e4205

SHA1
a7100149236d03b5bc5afe75e7c6f9447ef280df

SHA256
961973bad4b305eba0358b66b335a7d559816f0beb7d6c4af3cbc3f83f9faac6

SHA512
ad5838c57a77cc6c52353cf0e5fa47b66a58836d91df93a1338ba91d0143302ae3bb271a4e7fdac8c8bcd9d0781f7bf9773d2d42f0963e9865548cc5c5db99e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qgsy.exe

Filesize
181KB

MD5
18c212b162a1c7424c16f5016de576bd

SHA1
e92f85bb6661208d73795d1636516d5127479578

SHA256
44affc2e8ab2c86c847ce2bdcf6bad434362c4a29b2fbaee1ca3f0efdc0fbef0

SHA512
d65f315a9c07b61369eb9890bb6b1758cd56fb255cf8836234c8b93e878209d53e4bc1628f0f2f5496391905e206921ad309edb0c3e0e310246f46c1a8ad2d16

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQcccwoo.bat

Filesize
4B

MD5
da883dd40860f77725322df5042b8333

SHA1
b8679c955a4704ffbb5e4a64369b6619c5d55192

SHA256
e9233a769cebaf56f70921383e547ddc6ecfafc2ea3d3771866a0c21c2b15741

SHA512
072107d915b606d73c77849174c2087079c867714ba05a0425a7059f06208247c8508b5b483a3d73b20715f0190b880b1a307cc122539c1917c374b1179e91a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUEw.exe

Filesize
22KB

MD5
a9ad9e1b72c648af02d91b031d4373c0

SHA1
9b3a1490d173ba70f90513f3946e03e189b532a9

SHA256
802a72e177bee880cab5084045fa37877c0b31fbd9999f45065805d9229214f3

SHA512
0e009b4ba194a8362e5a98a7d5b09a286c69439ffaf7925d7750d4c7e6ad760db4fc5d73ef3d6a5bc587f04eeb463ab05d1c0fe5757ef0114fb497662b69ac1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQcy.exe

Filesize
62KB

MD5
282365e4907b19588e9b89f7dffea3db

SHA1
609bd5468b40166306c1b8c63671296162a16215

SHA256
56676c52f1e46c92ec3eab551d65cc1c01ac26739f914131256fecaefd6efafb

SHA512
42caefe4568afe456874696eca1bdea04a309aa0474b0cefd9f085825c8a8b16459620fc8b38d7534d226ef8ff65d5d182931f8f289bf3fdc8b6e5203e516da0

Download Submit
C:\Users\Admin\AppData\Local\Temp\USMkoYgM.bat

Filesize
4B

MD5
48ec9ca2fb7cd9f4e94141c3c3c7aadd

SHA1
55faa225095d76113e24d325007ac1a6b2541f7f

SHA256
6067aaeaa695d80096502c6c90c56ff3a3e4d4b49c7b7cd8edabcb28a0d05ff2

SHA512
8e3e17906573dd64bb385593d8f8344fd8c08332a14282d2eac598aeb1e96fd3c900070c0ab013e93f7b7c686e4ee39729dc27a14712625a8186212bfe4a8893

Download Submit
C:\Users\Admin\AppData\Local\Temp\UYQS.exe

Filesize
675KB

MD5
4e4c74445e6e0bded90190faa6af1071

SHA1
d655f6d10f7ffa65aceb4840420afc1b4af9880b

SHA256
56bebd2d8854096e25cd57939ea63a09c868352870359a113c0ed1b78e36e76e

SHA512
e8c2013afeb4e6eaa1b36316822135c4b2261a353f890a447222e45c9c066554208dc3f8776f82020c74397b8ec9e5adf74f0b019c9819f773264b6d979c5de2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uokc.exe

Filesize
148KB

MD5
f110685f4d2b70b7e1771d4ced4d60c0

SHA1
6a8298700b244729fa1686d5f7a6276436da6f58

SHA256
17975eff951f11779fb679528cb1bffbadf9c78073dd47840c824141b1097425

SHA512
c0a7e0e63bf81649973a556c4f37a7f71ff7117c32a8a38f1a05dacfe01f67c8e63e57cea0a21f078b0eb2d225c4d0098512a3e4b4f1d5c86eb09111166bd496

Download Submit
C:\Users\Admin\AppData\Local\Temp\VIYsQcQE.bat

Filesize
4B

MD5
1e639daafb6cb6443f4a9fec467fb797

SHA1
6348c9e9addb5deb88b488668ad47094b0519601

SHA256
647db4ed27fc2fbac087987b7a330dda15862007f06128103b1e4a4a9b721ed2

SHA512
5b6bb2018a7c5aca5a412bffd4d807b1df8c0988cea575a30155e65d68ed59e72dd97cba72c5fe34ce63fcc6e3521ee68e71e597cf1b0aa1eadf347a5f7acd7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WkwcksMY.bat

Filesize
4B

MD5
1092b33139e27d678989e598e2a37e4d

SHA1
147c25a733d2167a2bacd3e4bb18f46f2cec131b

SHA256
2b608a3ed247408fbd2043eb47aaeb6c89aa5589084516ed768507ef4d63b83f

SHA512
d520f6b6a43982365eca67526c2db81b388ff2fcaae1dca66529b6fc5ced1702d3b77e2c5beedbbfd190b392f868a3368b23a48cb56e5395ea18f52f95d8da26

Download Submit
C:\Users\Admin\AppData\Local\Temp\YAgq.exe

Filesize
984KB

MD5
5295c7ceb65765e11c579d6e8d659088

SHA1
4c2b0b2f1e90011e969b51ee88d3e11b4c33dc18

SHA256
a4485c04653bb61764a518cfbc69d7cd324604a0032b76b21d684340f7b316ea

SHA512
23bc946712e58b5574be995ba445f626e0ca1ec696585f88e50ee73f9ca5618461f3dc7b39578bce96c80cae892b9c4b079eecce14736afbbf4ebfb4f7efaa2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\YKswoYsg.bat

Filesize
4B

MD5
23909bf20635f3a9cf36bfdd2c88027f

SHA1
ff674b9da34c77b56a9720ef3f21c89f70a9ec3e

SHA256
bda24d4f48b3337230f1c9298baf4e04542b051a0fb7e0e7b0b069f1b9b2f0ac

SHA512
6d081daa9ec4761af778233916a6485e5e84ae1425eb3f1f0655147da2d8a14f53d2a879bfd4e83d622413884d623182b64dbd2b23b41ec252e43a917a0aac5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQQQooMQ.bat

Filesize
4B

MD5
764fd765954369a085cbdc795fa6986e

SHA1
f8b8c0ccc8936cf00c11542960adc653c6e97265

SHA256
a688c62ec853311718cbf7f69e662fdac6d14b9763068094b760314c54bc8572

SHA512
2bce29bb2c7d559b939723383114c60ff20101e65aa541bf0317bdca72b0af69acab0e0e0379c7da43bed77922651982087b6ef121a1f6aa55239068b7005398

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZwkEkYcs.bat

Filesize
4B

MD5
7c7aa8608f247c81f3df44473a8d0803

SHA1
724248fe2aac5ebbb3428b0668265c913d55b6d7

SHA256
6215f28ae7c2e909ea49fe348c59c33731dc4fb989a5572a4b2239615b7c3fbf

SHA512
f36061d62fa07070dd84e928fddebad608d363d20715f9987b9e1c4c1770efd74b21bf3113fc8446190b9b42749841593ba20e5ecdf132406c8e151d838562b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQsC.exe

Filesize
549KB

MD5
3f7cf3ee85b19d2bd14f06942b303e69

SHA1
198dae9c23a7c1331127a42e06d431466d0f8244

SHA256
83b16e38eeb21a4a32a9bfd61b1cef5cbe8d4dc4ac6aa8c072c718f7456eda12

SHA512
df650e7d90ca1fc723218996e0b6d1f1a3da2210441363609546b6bc4de67796243b89d5059dd5a08ac03d32d73d02634e75ba0f00714608a78a6ff5de5e0cd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\aYEe.exe

Filesize
448KB

MD5
6a901f30fe938445460ac05bf78d4610

SHA1
2fdac79a19707269078bd239b5405c88ef5303b1

SHA256
1abdebff9b1eb306560039991d6912d1c751a922ea52398fe131c348b856e00d

SHA512
40cac9e22ce05d33085135da02b8d3c1f7dedb9d59040fe7f7674377d79e0ab5c7fd047e769460ac2103ce373d5a9ac099f3f36ddcfd2d9e43ad16471c99798d

Download Submit
C:\Users\Admin\AppData\Local\Temp\acAK.exe

Filesize
45KB

MD5
233a4608f031c77b9534ed75dd8c9ba6

SHA1
72feb6580cfbbea72be2547855182303f110b312

SHA256
93e82e68d8b0997b1d95b09e5e7c4765f60e04a82dce86486ec5bbd75ee7a51c

SHA512
42cd5562c8dc0dc8f56df6ecdaeede9bcfd8a8c0f61d9402e0db95c59f522e9c6cb87bb735c93c527214df3aeef19d127a39a00704b8e2e8bb38b5d3edda5d8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\acsa.exe

Filesize
116KB

MD5
d095689391b6911295c19ada3aca1601

SHA1
804562f380b319370d1397cb7a4a074a0c7df3aa

SHA256
1b3aa42fed52d0c46459f3832a837aa1837dedf676d64a03bb3b0a2a00af2c57

SHA512
0079b2aa8616f4348e9a8680235dc10cd536a32a098ed28ce9adf09b54b2c9d97af648bee356b49d639978e36816ae6a5d9dfc07374305c620c37008f809c008

Download Submit
C:\Users\Admin\AppData\Local\Temp\bkAIQcYg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIEY.exe

Filesize
816KB

MD5
2796737df64c658a88dda7c87bcaa23a

SHA1
dd2e35eae5f663e55c7cc9d8dae3c97dfa69afa6

SHA256
648b2d0abbf47d2d2058da78e1bf7561c8a6601feff49c46c52a71953cbd2d15

SHA512
bcbcc8df27928ddfb02a2b32bca2c1c22c6e5eee56496b6bc1e0360447e3491d63c24079036471b650c355fb05fad5503b1e6bcf036f3ba33da118bb4e416caf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ceAMgwco.bat

Filesize
4B

MD5
6f8ebff530ba833605a4cf7c659e6005

SHA1
9b894cfde3d750dc696a7874c3029c39ce687629

SHA256
18f690dc888805dfa989b910777f058a63a18634291db5865e070347729a85eb

SHA512
90d824f6691de5f63de82359ac8bbcc6dc1ca7654d6b8d5735b2a277625bafd68a95b3354dbe83c05f9f859432353a42ed36ccdc24e84e441caef20d97a922fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\cosm.exe

Filesize
27KB

MD5
bf6310170441e15eec2268d8a1778d83

SHA1
feb0d84e3502512f2cb71e6d693e3c6ec7254982

SHA256
43827668b47b4325b93f7d872ed547b9b02f576409afce7349be15d7b6a406a8

SHA512
8f8a2b902e7d27719c49b753d3b889103227cbbfca659f9a871d054b39d7fdd763d81e02006580950003e8ecae756084405ca2ca323e6eb0a9f8b14ad8d91d40

Download Submit
C:\Users\Admin\AppData\Local\Temp\dKEkQMcw.bat

Filesize
4B

MD5
f2c421abc6674ecb828df5e8de696a04

SHA1
a5b948ff5b8320d8223c03423efa3471b2aea659

SHA256
3a3df2fea130c01a0cea00847e03c3538d8811eba2e588d3c23c329f2bd2c736

SHA512
6eaf7fba711b682f1727738b3ae5bdc5032d1e48d97f1b5e1e3c52f44439b6fbbd04e9af068db397d29c2fbbb949354ae6fc92d5389001550fd988fa119c6a48

Download Submit
C:\Users\Admin\AppData\Local\Temp\dUQIssMo.bat

Filesize
4B

MD5
c073112502d8a34d7c64cb102ec2bba5

SHA1
1ca4c4e670f63678fd17fb2f2bc18606bc4211cd

SHA256
ee4e8d53c51b96df8209448fd63069ce4b46547562f400df1f8a9c4c1176a16c

SHA512
8ac337f0fb93b245b38c9694f971c2f93b3b9a11e477ced3e7b31a5cef93fee42c6b864a35342d115695f188295a269dede47830c1f01cabd7bc85ff8fa18231

Download Submit
C:\Users\Admin\AppData\Local\Temp\dgMMIYUs.bat

Filesize
4B

MD5
ef72bca4bb906ff1e3a006b091bcd909

SHA1
76172f02d0a3d941393fd47f731485b790a94999

SHA256
2f3515676c9b33987386204215e5c2c9bf9b0257e6c0f178a24b36a779b7b565

SHA512
d1feee28a6e8e69b958af2dfa269002f2c6213a73bbaa59aeb41425019fb26ef11dc04de7f5182e79b624c0d690bccae571b51912b3ca5c4a3eb15e3a480370a

Download Submit
C:\Users\Admin\AppData\Local\Temp\eAMw.exe

Filesize
197KB

MD5
92b94cdad5b011764eacef7be8a6ca02

SHA1
e843363ba41c21d188ff07323c2e541eea45b634

SHA256
1653f4b32f5b591b4a9bdc7fe7c53c9ceed7673a1846bf94ad1e75acce5e1ef0

SHA512
971812165b2fe31f6581f1ed27f0d8ba01ed0768f57a534f42c120984b2f9b9fe73e18e0bf28beb6ba927d5421bf88540d5ed2e41305b5505442f286a31f2a84

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIow.exe

Filesize
11KB

MD5
1a3e32427d86c643dd8fa3ed653d5e01

SHA1
5d961172b216b65773121d391bc19b519c0b58ee

SHA256
2fce02483b07456c60e228935bc8d3dba1f09c07f2d10353a312fece2018a810

SHA512
a7283f66bf6bb44d27c7ebf3531f168afbbd5e0bcd1459d051ba9372fc2fd27543ae5bb15a53ccb740df6bea00e6054c55b2a56c4177134617740fe72db440bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\eWsUcskA.bat

Filesize
4B

MD5
05256fef9132880cfb8df45f09221b66

SHA1
42cdd1d83ed54e47127acd032e8c7442a346f407

SHA256
45d916747fad73c82e8ce935cdc1e4436d0df5119e191988c2df7d19972464c7

SHA512
0c6276ab9e0145fb9dc88713ee66cb18753c440e10e0603c8058086dd758edb318e562b687d00bc2df6f5d92ead1bbf3ff8767a4e896295661390189306c80a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\eaIkMQIg.bat

Filesize
4B

MD5
5150389cfecf97295931b8cad9002215

SHA1
aae432817bf569fdb6466a41371b6795adc8418a

SHA256
11f8f045362b8c51caa1382fd98d3d17632ae683acf07a33ab9f789241e4c67f

SHA512
d5b912b3df685ef756af6dd52f9274ffceea51899b307580796b0ffc393df0237ea57f7289425c222caddc09e715eac59afafe1eed16500600afe39a3f3b1156

Download Submit
C:\Users\Admin\AppData\Local\Temp\fQksUcwM.bat

Filesize
4B

MD5
64cf1425370a6e982a33d5b9f16ffe51

SHA1
df995cba88c5ec4a47fd4049d1e9fcfeada26bbc

SHA256
246afc4c35ebbe85ac772ad7ac72d0a7f7ed26e09aa179b7c828a0109141d1ec

SHA512
cbe90bb05006cef01d8fe479fcde8754c4be7e5274ad3b6634fb85d61f9b6a413063ff8f5728d62eae389a6db89ae7f08811a5d00e9145923f8a9f26d1a69a3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gAou.exe

Filesize
178KB

MD5
4421952c24a763a1640cc97c0f3363ef

SHA1
b02259b93c1b8e3f427c9e3e51e3f9830dff6a3b

SHA256
17362f5a4aa559a751fe8cd671e5d02f340e2715a65d1a23ccbb30ddc3a0fb35

SHA512
d2be88e0a7c7211784479060802141cdb7cae46c492542777ce57c4e7a2c77d75bd012cf5d6bbc780b35cff359550c9bd5d487520120a651194c934e43c6ba52

Download Submit
C:\Users\Admin\AppData\Local\Temp\gsoe.exe

Filesize
599KB

MD5
05c95cb59d4f7f1a5d482e4a1691cfb1

SHA1
65e3fce567b7fe0c746161de4ad60961b4fcf4f5

SHA256
a8355b83681d8d54bccc7828f6442df99048ed6bfc7822cf695373e4e709191a

SHA512
8928302d672e3d57829e28a5b4a0111efe1244780cc56565425f44162cf7a7593e6d805e216f0a8ffd497c6d8425c4c2671be0f7cbd1bd6b9cf61b14347dd582

Download Submit
C:\Users\Admin\AppData\Local\Temp\hAsMIYko.bat

Filesize
4B

MD5
61f0976713a3d0288b8b8f6e80709ab7

SHA1
427523bfb0fa6672830e3593088460749d9cf43a

SHA256
829a771a066b8e49369b965c5f12e57874faad4b8e7f55640e3abeb8b4a0cd00

SHA512
b17fe58d3c78e266b261353f61a8e3e02d1b0455674c729582c99e1f838f3ee5ce0a71c3cd722cb76010fadc5d87f9aec08aaaf5a718879ecf6505d5fd37e44b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hssskgcU.bat

Filesize
4B

MD5
cdda9e2edb6ce53c65c94ef2597dc155

SHA1
e9f69b137e90730e81c5640f9bee2297a09c988a

SHA256
e890980be5a5941351cd8cd79848089cedebb104e4b9f8ea0953e7c0e0a14d55

SHA512
b80002f7dbf754a9ab3df9f67e62bc46cffc5916e6258ca43e43f19cb6e52abb98f60ba552f88789fa0e270c5601d7cc0547bad54b292aad01c4a946cbbfb96a

Download Submit
C:\Users\Admin\AppData\Local\Temp\iMwC.exe

Filesize
51KB

MD5
16cf020aa12ffd446669e49e4be32c4b

SHA1
22d0021d654f9c22818df9bff76bc0c4c278df95

SHA256
89b366be81f08b92ccd065e099fb6f4ff1c137e51d1cbb6d2157358da74d4f8a

SHA512
9f4f9c2096565f1bfb7d9809952cbb78f78fab70be81c280c0e8df2b09c036138720fe4e27aefd3385dedcf1799feaceb53b75251e68b8e25e04392e985c7ce9

Download Submit
C:\Users\Admin\AppData\Local\Temp\iUUksssI.bat

Filesize
4B

MD5
a0461528bfc8355d2a1b802fc87e3d97

SHA1
f095706a21fc6de9d10ad3a60f0e7de713f5bd72

SHA256
4853f8b48f8a35a35b5a6c846dd31d927d496bb4cc13472de67eae57059fc17a

SHA512
691542d18f1cdf5d871ad7167c32b76b3a67ea4411208e30b69263160d1d0e515d364f6970404702f3f3cc015e1716ad253c0593973470026e5e2558eaf97392

Download Submit
C:\Users\Admin\AppData\Local\Temp\icsy.exe

Filesize
481KB

MD5
5bad5d3ad5a9baa339fda8865874c4fe

SHA1
514c071ac61a54f1559cf8c14f2250c40e424b19

SHA256
6544f1d08e9f21e51fc02b584f90327f4333a3d8c4d527e7119f05d37bc0a3ca

SHA512
8f32adfe478a5a1adbdb19f2a95031efbf88cc20f6df61e637e95f7d71230a45d8b46abaead8083e1718386a43a117c19e666389e1ca45cc5131b216b180acf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\icwu.exe

Filesize
471KB

MD5
2055e8050d54c495f15e8e6896354865

SHA1
86697004e11151ba0be9cf3a1447ff9d38d88397

SHA256
44515ef2ce2efd0ab364c869f12ee3766b8558581f6c830639ead6b41f58515f

SHA512
da7324b0e53e5383b2572311b19c9fa945beaa4b6005e76035df82b736becb85da0a9a2defca375e969bd894528239d1eaade2d630a16ca02ad7bd243d4a582b

Download Submit
C:\Users\Admin\AppData\Local\Temp\igsK.exe

Filesize
45KB

MD5
673e3c0de0967179e450f25d2936c9e6

SHA1
434b72c81850ba1c16722a1777025cf5488e1f2d

SHA256
978de73495fef49686c0865a162f5c801cb2a8bbfd48d0af016f5d1d72758f42

SHA512
662e6be83e9120eb629da8ccca7aadf79a9a8686296d16d02c1f7fc949431155ef04e3041094f8eb2716a620a3b742be1aae62398f9ea2de6aafe8a62e839a92

Download Submit
C:\Users\Admin\AppData\Local\Temp\ioIs.exe

Filesize
49KB

MD5
e18b847e351b54c1767184bea46b3d85

SHA1
6dcb5fa3eb71f08744fbd87fc27406bd6dddbe29

SHA256
0be3d935440096d0e1b131f5dfa18975b10c61e37157ad1b10abc0cda96ea632

SHA512
1d37ab2fac4c051d3ff94bad3544e45750bd8daf138fd904333ca0b4392dd1e7c7c0e441e61146475e3ac397a97682138208437499370d1506057fed9e94bddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\iwQI.exe

Filesize
135KB

MD5
39f7d0ffd601ed76950858ff87d9e7f3

SHA1
1d84ae544da72de9ac75a7c06506edc0508d9202

SHA256
a7e997bc6968f99b2dc20360631fb0c16057bf50cf09fe674ac6b2bf621b2c90

SHA512
4fdc393101798052713159f0df3711a1a8524201c70194080e0feebd6394aeb08a4b290d40f391ed693315878a57214d022c589e640e0643a695a14f8ebbcde7

Download Submit
C:\Users\Admin\AppData\Local\Temp\jqMocokg.bat

Filesize
4B

MD5
85e892fb72129f2cbe7b852f60b655b0

SHA1
29e7f91fbc7bbb1e15a6b96c3c1baf45d21ee231

SHA256
576615a35421358c7584694c880bf79ef9a76822b20f46df687ac16b86014813

SHA512
e628329d4368b37a6b0b1f56e4564c8f467a40ec15626c39bf8dd57f407b6148d11f6d22c8445c3e29f611ed185b938eae591d0e9ccac37a1507c768726afa8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jqgEEYwc.bat

Filesize
4B

MD5
df706c78adec9b0a5fca232f97f2f2b3

SHA1
045e088c37355681217f2890a20527fe6eaf28b9

SHA256
73bf22721425345d52dc6cd4e447cbe6870a4891f94edcf87dca2df4a8ece5ce

SHA512
11ea3c8038ed75a58a9e22133b43128b462513cff00ede02437ed81442649c4ce4c070828ebacb6ffa0ffadcb576caee5f1e7e2557c1ebdfb1245f4faee8794f

Download Submit
C:\Users\Admin\AppData\Local\Temp\juYsQYkE.bat

Filesize
4B

MD5
5244c6a90b3c3832df26bb682e9330ef

SHA1
fce0b105862e2cf7c541e7b18821dac297370dca

SHA256
c43d0842162d1a86acf97155507788dac82ddfba5f06690166092d04ede998ea

SHA512
5e6f175d047553089218dea52a4cad3e476801fefc128a69e59d8d3517313787d19fa2df37cbbea821f549eaa474b2de9fc58e6d6636768215c8881490893dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\kCQoUcQY.bat

Filesize
4B

MD5
50e50048cc4b0dd60c7ecbd7432ea15e

SHA1
989489ff0b0fdc311428b2e020f9b1843c881c5b

SHA256
243c17f4ee74706dd6608448ae7509cf34106c70db5e4d23c2849a65f071c74a

SHA512
c855e21c884d5fc2c7328da7fae67130826773a770c15f0a96d0ae2f8b2ce20fc6494f75c62b327f5d817bfbc298573a266d3e960824f351b15ef50885460e6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEcEAAog.bat

Filesize
4B

MD5
cd272e15866a43ca0e4185dd6aa3112a

SHA1
84c055284c40fe6aa15a5ee9e5d9dac68c386743

SHA256
f3d976c44e69c10792baf71ca56d9d2bf0c839f65d03aa0698ac9fd379a6aa94

SHA512
959db4f55b9a3a70b17d9bae4a3d46b722280e91dcba624d2037dfd1d388143a99f225c7ced5942b31126bc0f49da173442af2a41960599d429851b67f12e507

Download Submit
C:\Users\Admin\AppData\Local\Temp\kSgMQoAM.bat

Filesize
4B

MD5
0e688854576fd0d2c6dc6fd7a48fb0f5

SHA1
7feefad3cdbf626d8d95c4d085f8c1a505952ab2

SHA256
42aaad6f12eae88072e8c16fc352bcab603f97d56ef5d575dc743bbb330b5535

SHA512
6fab07f87134269ca4045a824a3a7490db4a0088b1766b5501238d5739646cc1795f44872ac04ce1c58a32fd2dd7e486376fda0e38e7732962bfb8e3fc466b43

Download Submit
C:\Users\Admin\AppData\Local\Temp\kYUI.exe

Filesize
485KB

MD5
dcc19b6730a219c904445cfc7e372c86

SHA1
3c84a41529bd848eecae80dbc0f79afc93e84de0

SHA256
6bbb1a19cd559b248c2cbca294d0f463a30904bd223b6f45a260f64c290539a8

SHA512
fda5714dd855456c33fa55811e5783abb29aac311d83745474c0b7b241ad0854f87ff19abbbc22bae8696089cc69a11a382bb40fce136d75813e69109a2128e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\lYsAwEMY.bat

Filesize
4B

MD5
90a214f5ef0ec13f31b9cf7ad1609f91

SHA1
c88d22b2c44077be1d28ecaf5e20a152ed677b23

SHA256
ee21dfbdebd5f60ee4ecc6e6e23632ecd1b8f8365c2a0c2772cafcde17816307

SHA512
c7138880814995c2525dc328ffc53b3e489f01828ad9f353784b8fb690b7dc474195c5d6d1f7e9efa5ebf68b877c3c59e1f5504acf3859380840b44657ba0f23

Download Submit
C:\Users\Admin\AppData\Local\Temp\mAEq.exe

Filesize
16KB

MD5
76fff98b1666cdda98546c9864fc2845

SHA1
76ebcaaa76f43cb4abd1c20bec71d23c374b9cf9

SHA256
3d75b57754860b6eb19e7c68e6dbd5991c3dbe0682466ebe624c84a2c522cee0

SHA512
7995957b474b73f2a33f8d24f447bce3bdbd0f3bcd7cb4de5930e3196a52b1f8ddd5ee27d0b84d84e93fc1a16bcffbb9ee0f366ba104f842528d32cce5e4c87c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMEAEAsM.bat

Filesize
4B

MD5
85e068a2a0989f1f8184389c8912b614

SHA1
9bac47b9155d971484f14ff287f01ffc807e7189

SHA256
6bec59e22a5f061453f9c2dff4a7e3be107d5c8d8eb003f4d142adb20387f336

SHA512
a42e6c9d98304eeeaf2723a11d4b864778071055d5530de2b5ba1f1cf216a507cd707f7e9b6fb4b5d67b08141df689c57026dfa52d756c46b4059868b726a5b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\mcom.exe

Filesize
485KB

MD5
716ef196f62ca0c6cbd2abaaba035428

SHA1
4a1c68d2f2e2dfffc21ec7aed2bb19ea577e46ca

SHA256
b0dd5588a9ca89ded4311e7dd3feffd7516b0f82344efd990f832ecf14fea54f

SHA512
8b0e1b988404d25d3355c04923fa0151dad56ebc30ac5de944bc4d96a0aaf90ae93ddf03bc99ac231ae4e515e0d3fa969637eac303d06dce53e284e723779050

Download Submit
C:\Users\Admin\AppData\Local\Temp\mocwsYIs.bat

Filesize
4B

MD5
f6ad770041264e452b83685b230efa74

SHA1
1c31ca7a489f3ba81f64d3258b30890421673113

SHA256
b8e9407c327447270de8e7104c3a20356567398c6d0031f6c2684715cb15105d

SHA512
2c03f9e9b4d843331047d1beb71b0b660ddb169649b4a44ed5f9722fe76a7761e1049bac80713ceef2c5f91d44d5a7ae6e2dedc9fb8dfe9ba20f01a8b12daa37

Download Submit
C:\Users\Admin\AppData\Local\Temp\mowC.exe

Filesize
137KB

MD5
99feceffa0fce6abeb2e7198f07b0cb4

SHA1
51bfb1b4d7e0dded87f37ec706ca4b3742e7e64a

SHA256
6835d86acec5c72cf6f947bfe0fc4239ccf32c2cf07b0263b5b779d5fb07fdd9

SHA512
0df09edce4d9072a450ebf35253e2dec4ce52b6d765bc46a43de00b2613369ed513977f87e9c13528999a7c060cfc7a1a9452a40146dc4c6949a3ee493765a3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nKUQQUsY.bat

Filesize
4B

MD5
6f0a0bff0854459d847e92723a286ef8

SHA1
ab3aaac08d32b89e1ed5c70df7096e66fcc73db0

SHA256
5020800b2e25075501a919a794ef93cf56812962734ad4bc69b1371325159516

SHA512
d0784b94d60f808fe4c1fe8ad008a6986877a65c8de9980b637b00832fa9e967ec6755c0ea6cc3c4b2325260882476b350d507deb97d395b64d1b8f232279a78

Download Submit
C:\Users\Admin\AppData\Local\Temp\ooIO.exe

Filesize
74KB

MD5
0178c52510a1233ff9b8d3bea76e2594

SHA1
9cbcb19e6142de869da8a237dd8d15be87d07abd

SHA256
d3651763d6b7a1979fc4d4fc726a7f274308855fce15ba0c961d2e506e45e9ff

SHA512
0a0b1ec529c1975839118a23e43acec82d42e670c1e8cdda5f05808ded9cc54f53c0c72cc24dcfa71ddea48d71ba740efec6364b2b11a4a7b51f9c6bf8213bae

Download Submit
C:\Users\Admin\AppData\Local\Temp\pScEsIIU.bat

Filesize
4B

MD5
97706599d78d6aa5baf31c8b8cbc8092

SHA1
cccec2cd03684665727f1ceae01734d3b1c09d53

SHA256
91cb7f30cd9de97dbdb0ee4e43667aee75cc4a193c0da452325cf27b5c1f359c

SHA512
e57d40e8868490cc4a6d73a9b721da83f94f52391162ae6f1b0b3d7ea677ba45c3efef369f90a2a84e8fbfc6b062ad557475c71ccc56ac3808aeed28b68cc76a

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgwo.exe

Filesize
443KB

MD5
7fda15810fe5f99221dbaf85610a661e

SHA1
3bb3d5924218f0ea56d7b9a1c08d11e0869fcdf1

SHA256
2ca5a84023767c7ecf27c6604833549f3010e8a7830d07d25f4edc4232fe9214

SHA512
31c02f75a145ebe9f6773de5db2d69aac23fb4f06d4fc3052fbc31daafc8715e3a74f4df0ee1e012a65c6fbd1486672ddef8878a2c9a0476d6d1f786e2b46a30

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwAc.exe

Filesize
558KB

MD5
5ed01f84378646563da409655acc0ec5

SHA1
5500f29b2dac44a8aeac70d039ff1c9155d56cd8

SHA256
54a76734da5b84b1d778b39674c27ec375e354f020345055da2c1eb0607e0273

SHA512
2ca6b604fcfe18d766067a42e56bba07a83d7bc1d891bc5105615981a3fafb5aa4f4744560e84268e5bee85088083abb78c63ff99b8fe99d0a9581c1a1fe8837

Download Submit
C:\Users\Admin\AppData\Local\Temp\rkgIcMcg.bat

Filesize
4B

MD5
31d038b2c74c172b4b8098f012f0d589

SHA1
455be414a317c0c39caed97b701ecf5faed39223

SHA256
5b3b1e24c64a9c23782098b7ed59f67eea7504bdc20aad09dad544e9b8f52c25

SHA512
bf4433362e66e2739a1ab92c642008ba4dca533bad34a6a7dcb735ae23b5654b086e6658a87d434c9fa5ee9d3be7eaa52050058c2d4c4d91a3b3636eb4f2ce8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sCcUwIAU.bat

Filesize
4B

MD5
4b64bb9e1ff8239165568819ebcf8d08

SHA1
e096387c64794ca0f2bd4e34ef55be33e7a8ee26

SHA256
e403434a33e864f9aa2019a88bfec91aaadb9807b2471a0d0972e7146e5bd666

SHA512
4347a17aa185dabfb2e68acdf70a0fc83d1af16b2893bbc95fd3eb0a62dbea380735ae340a088bac384609986452ffd32959fb52c1fbb6397dec557e56b20d18

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQkw.exe

Filesize
297KB

MD5
6bf6a87edc6e912ecda800e6ab0b9ca8

SHA1
085934fca3ea71ec267a23eef8b4c2a09ba531d8

SHA256
ecbbe118a84bdd7d1df390b6d285a5aff112238b52c1a594138777584bd3b4b2

SHA512
ff87ce6df03420288e1a1ec00e3fc3de173df1f0e56eee1b12e537b647bce72e076377c0bfe5df07150b4489a0105aedf5d5ded8cd455ebe28c27cef3c9c2518

Download Submit
C:\Users\Admin\AppData\Local\Temp\sekYIQQA.bat

Filesize
4B

MD5
cf76e9c39cc9b5f584a6144db783514a

SHA1
070fa3a8f91fef91784dd584a6b70ec819d05a04

SHA256
06ec3a0be7aecde9671babb34e6d65b52acd3c31242bfcf74fe56c7c7cc5c970

SHA512
e6498ad8a5cb68a5b8d89f35a7ec2a439555b446b7665ef261b6a4af661db3a9b295ab97df4a2f95fc2dbfebc86557fa59a78e39e76a3d831d5dd091546c03b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\soAi.exe

Filesize
411KB

MD5
c3e4764037e43a77bfb7cc5789f200e8

SHA1
fb8e9bca9c30d655d014c29f4c293e1ef9c3d4ac

SHA256
59e3ee791ab7a5912c4e0ef016eed89b3fa37922a41d3d8368115cefa4f8f246

SHA512
d50d10182683c3cea194bccc410a5049821a0f85dccccf41b5277d232a71a1250b23dfc331043b2cc7e49c28954e45cd70c2e341af573b1eb6e95334525d537e

Download Submit
C:\Users\Admin\AppData\Local\Temp\uAoW.exe

Filesize
33KB

MD5
ca2fe4783f91155fd10c5b8deee09010

SHA1
7413ee202ecc358a090828fe1b4a2256a3cfb39f

SHA256
7fc4c3a5d5e5648f9adf304b4d32be6533d45bf7a2c192820d191858521820df

SHA512
0936684391c85c3b8f468b052579dc104ecad84ca41b6f7cb28c30590c934aabe19a2bf971a854cf5b0ea959d4d19578bd5d06fb2b26d9b5fd47e4170e70cc4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukUU.ico

Filesize
4KB

MD5
688d7cf2301874c0a5ac820e9fe6de9d

SHA1
d4a770a4f77b473611cb375f7c3a6f36e9d27c50

SHA256
746bfc348164ae5fb1183c53bc96ff184a2ebd2d0cacb77ffb7f5161901bb179

SHA512
3f5c7097a3eee67a0bdb58b820b7285753dcc9caec7d4a7f230e396fb26ff1b9601ab049fdd5a37244ff9a2f7445172846019b2bc1e9bbe02ba075f4cea7abb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\wEcoYUUs.bat

Filesize
4B

MD5
dc416e0c980d1b590fd8653a02040945

SHA1
7faf4c1cf6e99a92333efbcd2f99bdf2123a9369

SHA256
541e4d04b7a9273f26f0926a690b7eba665c780c81c63c0bf6083c7752559cb9

SHA512
85596423adeb472f0dac5b0c5918cdecdefa5c6886800edccf3801891fae318b255dad32a48b9c8d47e9f3963f403e8a8e89b88aa119e1e8ddd5f80dc20cb345

Download Submit
C:\Users\Admin\AppData\Local\Temp\wIUA.exe

Filesize
663KB

MD5
a1ee7ab92a2bc70d911a83c645b696ff

SHA1
00d95c1c0302c8d5564d49d463821a4d0ca177c7

SHA256
edb0ef152bbea503fccab0ef7706c4bdf29c93e41b868cfddb02a88759c60f64

SHA512
7d8ecf47f5599a5a953977f284dbf36a6d65c7b86517c4970eeed64df8b23e5ca6b360eed79257843c3dbef5f6d3061387afbb6bcc59cd80564aa4ef43eabfe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\wKYMMUso.bat

Filesize
4B

MD5
057068c881c9b349ee96b334e2084e61

SHA1
88a49cf2e8ef942f2c388939587d11ae05caf7d9

SHA256
321be34b9b696c7c5d8f7defd47cd0b2ebc19cbaca5d840d7eedc5ea6771b47c

SHA512
3368e47975efad5367722da93bc63410d69fa0261363f0ef997ec8aad9468d6a8cf560a3a407ac105bfed6052f0027dee2a7c522fb6731aa4b5dbc3919b6f4bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\wQIm.exe

Filesize
176KB

MD5
a8acb4fceb639d14a345d33ef9df1cea

SHA1
144932aa8d24fbab76bc75914f86267a85852981

SHA256
c66693587aaef48737467fbb09fe92faffcf0f08878890db1072884a6959341f

SHA512
0ba0662cdf3fc435582414e72583c315a7134c94832bc94f16b98786685c06be7049e09b8ab8847858be8bbdbd655656c7b3f6c8f472c1fe003297596f65e0e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\wWscMcsU.bat

Filesize
4B

MD5
261978e552d8590532aef081e3aa0551

SHA1
ffaa13f0be5750de40b4f616f3fccb92a2a7ef27

SHA256
e2b21e97598b07b489e6e525393deb99182d965822c53ffcf840f4bd3d62eee4

SHA512
979168bc5e5e1882947bc926b1169c61f1d28b855b3559a2de18409b7864f38a79880c8925c2c6569159877f7da7da077a9c73321a38d8f15cf95a0ca1232525

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYkK.exe

Filesize
381KB

MD5
96c15e6eabafa2482080c10a22ae4f26

SHA1
5feaf0956792a7cf6b3da8394fa74e8a11a08bc3

SHA256
5075ba6b5d3804707c71a13270e0ca6ca69c907081e0ab68f54658a309242cd4

SHA512
f8265d3f5235ba51cf0f7a378fce6125c8ff367ce7a8b144cab9b7d2734222b607e79a663db836a8112e1fc7ea579b3a82997406b03c5d5f89588a846856bf48

Download Submit
C:\Users\Admin\AppData\Local\Temp\wcUO.exe

Filesize
515KB

MD5
013c1aa36bf608c12fd9f962c83bb89f

SHA1
6f559c756e79f38da0b6203d9403634ff14b4c5b

SHA256
8d031d2878a39b437ecbc3250b7e7a0f3234c6bbd892a5868c3bafab654524c8

SHA512
2fc70b68ac33e1c6fd44375d53176d3c0ee58674075cb5af78d3d40867753aae9c84ac63b48fa7225d986065700570d9cd74cfffc7af3d878bfa98c33c64e3ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\wcsIEkIM.bat

Filesize
4B

MD5
58fed8a338cc197e1047cbd456458397

SHA1
d0b3ad23be1837c1ea0ddde8fcc4ff793ae9d6ab

SHA256
ec9ec07e8a0b5a88c1e00ff488ab9d05f14ce378544355816f1d5f094c839cea

SHA512
ce18d55b527a90904979a4643851b839bf484cafb10764a87682945a6d009f339d6c69cae6274ca173a0b9b6dba161b3f32cbf94f8681caa0b717b746229caea

Download Submit
C:\Users\Admin\AppData\Local\Temp\wssU.exe

Filesize
38KB

MD5
3a83edf9688c6f4f55a3d43e5b5d0c8b

SHA1
5223bc389ae0767404e16dbc96d8bcb7665139ec

SHA256
5fba406e6146c207ddc7c553be718892c9f4e78c6cdffa636f2c3d172001dda7

SHA512
fc864ad2101ac907e0642199a6ae98f0356a11753f4cc15360f87ed2828993ef3ca10344ed94a0d129b860973fb505e15e31f971425d26c4d49683b4f1cd9e39

Download Submit
C:\Users\Admin\AppData\Local\Temp\wyEU.ico

Filesize
4KB

MD5
964614b7c6bd8dec1ecb413acf6395f2

SHA1
0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f

SHA256
af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405

SHA512
b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\yAsK.exe

Filesize
182KB

MD5
b6e7ae5914919027ed2ca90395c57343

SHA1
a6f4c6512ea4431f3aff86a826ec369bf03b534a

SHA256
a8608f76d9d9c650d759a2338f081294480a6e928c9cfaf37bea9b71043312f1

SHA512
f41ef219c4fef468f507a8150814eb22b8561c031a6ce8eb48d7c6705f05f971a27082bbf97798cd45a5f3d5705f087788bba5e7c2506229b6595162955898d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\yEAk.exe

Filesize
155KB

MD5
1c42c3d20b6b6fb46a2e3d056402e674

SHA1
60f400af32719b8c0952e89a87ddd9b95cda287b

SHA256
5bc211559dbf0e0da496a32cc4a440e4aecbf5c8f7c560c8f16f822a015594a8

SHA512
171a946899e8d4e6fa321704b03b7499505d8d893506f4d78aea43dd596bd23ecc90f3069ecc6a85122dab5403f579fc6132aa0a4295af0b534602a98633c54d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykcE.exe

Filesize
45KB

MD5
ae3d448e56158d26e4a1a70461b831c3

SHA1
46c8260fc0ef99539e0d508ddb6fa4271164b0fd

SHA256
c9dbbfe3a6fe218d4cd8f02ff735d6e1ef7bb7fe7eae7067189d5f2a6b911663

SHA512
61386e15cdfd1eac98a8825522e4bcf229f52115e63a2ba4b05182f9450a518d31f379fb6d07b26bb9146f6ad7bce1960ed86c27bfe1b82c91357d4409eab08a

Download Submit
C:\Users\Admin\Desktop\ConvertToExport.exe

Filesize
1020KB

MD5
b82e801330cc984579347545f8185735

SHA1
8dbc805855363d6e1dc0f9216fdad07b7f718923

SHA256
f02c55ec2e7b9ef8c85d71b8c3cdb84da00e018e03bde7ef6d3e5afb62327b91

SHA512
cbd80e0ae0131415dd968182f17800884c6c44e7573d763f234ebb1f91a07f8fdb11ed27897464db94d95b9606a1a4ed86dfd57b739d57f531af864ab02e1860

Download Submit
C:\Users\Admin\Documents\Are.docx.exe

Filesize
424KB

MD5
b7a7045f3ee42b303531b243f3b1b2c6

SHA1
55e751fe9e3aa37b2de0535f9312cd11979815ff

SHA256
590722b9e5895335a63d5fad56b53ea350b80a288b83447bd72c36df22b41ecc

SHA512
01a307bba7a0e6566e1c88e092cf8725cf174e1fce35252fdb2d121236e17baae1088010f27ed28b8d1d86bb1cd17f329f52f99d8f790b659fe2ba7eda3c7551

Download Submit
C:\Users\Admin\Documents\Opened.docx.exe

Filesize
444KB

MD5
ab4a56626aa657c229e0b54ab9fb7411

SHA1
c49a562bf54534c6b2d74ec01bffae2794c25810

SHA256
eda9a316757fa54997003f8905b11cfe564635abc4d50b14638209b064e0b0c5

SHA512
56614d9eae0affd68bf93646b86d534e96eba5c33f94455fb1fd4d2c92721b1726474fd1800eea5fa0481c85317d9fb1eff5f3b1d3fe945b4dbef0e576b6bbe8

Download Submit
C:\Users\Admin\Pictures\TestDisable.bmp.exe

Filesize
543KB

MD5
74f820780d7f49ce265abf37071691b4

SHA1
640030b8338ee6414be08074e2b12b28cfd97ac1

SHA256
39b4c8df523d5c6c73441c6fcd2c0a5d6459bc0173842493f7d869f9e89b9a12

SHA512
a99a08a121157a3a34df0a2b27a3c503d938ac4ab4bfcd035ac945fdd34ca8d55b099d6034fc215749332fbb95496c0bd05c1622bb95b674e90853d7c5893db6

Download Submit
C:\Users\Public\Pictures\Sample Pictures\Desert.jpg.exe

Filesize
206KB

MD5
10e816bc2669fd2116d603066d5380de

SHA1
da076ae0a5a3160ea70fbad6e355711effb696e5

SHA256
4d590f80119c76dbf007671c2153269fea44efc08e853bcf0983cbec980ca07d

SHA512
dcf60afd06dc34e6cf248a9d08714852eabea58b75f074a914a8ea93772cf8c5d21031a78fb5f0dc66e592331c4694978e60509e00fa4a484e91299d6b3900f4

Download Submit
\ProgramData\qkIEAokk\EEgkYAwM.exe

Filesize
155KB

MD5
25bfb1b82e1c97107bb2a12450fbbdf9

SHA1
239684a6d52c7370e22934e7835ee031d9ef32d9

SHA256
e33f47bfd40f34e8fc07bc3c8fbd3744a9c125a0ebf14b78961c914c1895fea8

SHA512
c804b6b2ae69d355785058f7bdccb3b6e40661c2ea3736ddfd5b67505ae501fdb8b4f48bd94c43e22476627247905a2b54c39b05459153b31240b17d9d54fc91

Download Submit
\ProgramData\qkIEAokk\EEgkYAwM.exe

Filesize
433KB

MD5
0bc1560e482ffde839695416671133e7

SHA1
bc19aca16c268d584e9df5ec388783282fdafe84

SHA256
1ae40d2890750d6a90f5815f44d5e12ad582cd228672080143d312f6a34f42a4

SHA512
15c4a17d181b2ba432dc3d55b2b653b68b32bdc14499e00d00c58d9b2aac0e9f30b7b2ba79b0a14d7f28db11fcbf5e91488d5f4c08d9c8ac679620f3394558d5

Download Submit
\Users\Admin\DcwYIIEE\AmwkUEcU.exe

Filesize
437KB

MD5
43c6c0501c24012272b1a9a7e991ae3d

SHA1
60b66fe9324097e88695198df57849bf9dac32e9

SHA256
970a3c3435fb12b58599c023ac3d63f3cd85eb4292d4b8cd7ee1257cfc9101fc

SHA512
52715e1efca2c2f82294868df1f6c0e98cf495d29f0f76ccc83edd3f5e074d6128e3c832dfe9974ab7f5654cae80649dfdf1bc490b20676e6ae6b7ae5c5002f6

Download Submit
memory/808-212-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/808-246-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/880-176-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/880-133-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1020-573-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1020-545-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1128-213-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1128-20-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1336-0-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1336-161-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1380-268-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1380-236-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1388-371-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1388-402-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1400-478-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1400-450-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1528-326-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1528-358-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1576-516-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1576-488-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1680-222-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1680-190-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1864-66-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1864-97-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1872-304-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1872-335-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1908-110-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1908-142-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2040-259-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2040-291-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2096-120-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2096-88-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2308-189-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2308-10-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2444-507-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2444-535-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2484-459-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2484-431-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2644-281-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2644-313-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2652-166-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2652-199-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2656-44-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2656-75-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2688-24-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2688-235-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2712-602-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2828-348-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2828-380-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2860-412-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2860-440-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2864-611-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2864-583-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2892-621-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2928-526-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2928-554-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2952-53-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2952-33-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2968-592-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2968-564-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3060-469-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3060-497-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3068-421-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3068-393-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download