caf95c614009163f06b890c747376d3a06513aa6498f3378cafe6391b7470015

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 16:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2bc932bf53710c0dc37e3a16c0975a1c.exe
Size

464KB
MD5

2bc932bf53710c0dc37e3a16c0975a1c
SHA1

83bd73dd212ac325f61ec9c16d27b9f5368c1926
SHA256

caf95c614009163f06b890c747376d3a06513aa6498f3378cafe6391b7470015
SHA512

ecb9177e9ac0d39c43d8610578614af8aad09dcc5d8d261197a2e1968c0ceded5c02544b64a9d22b4717abb41f0b8127a62c878296cbe89a7325d94106098c3f
SSDEEP

12288:OFzFvBhbCs9GH2wgtsB6+y3PaOPeJDrRnKasZzb:OFz9GiN8fyFeJD9X4zb

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2bc932bf53710c0dc37e3a16c0975a1c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (60) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\International\Geo\Nation	fMwUAswo.exe

Executes dropped EXE 3 IoCs

pid	Process
2852	fMwUAswo.exe
1616	bIEEIkAE.exe
2104	LccMIQEw.exe

Loads dropped DLL 22 IoCs

pid	Process
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\fMwUAswo.exe = "C:\\Users\\Admin\\YuQYAEMs\\fMwUAswo.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bIEEIkAE.exe = "C:\\ProgramData\\AOoMwwAg\\bIEEIkAE.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\fMwUAswo.exe = "C:\\Users\\Admin\\YuQYAEMs\\fMwUAswo.exe"	fMwUAswo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bIEEIkAE.exe = "C:\\ProgramData\\AOoMwwAg\\bIEEIkAE.exe"	bIEEIkAE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bIEEIkAE.exe = "C:\\ProgramData\\AOoMwwAg\\bIEEIkAE.exe"	LccMIQEw.exe

Checks whether UAC is enabled 1 TTPs 20 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2bc932bf53710c0dc37e3a16c0975a1c.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2bc932bf53710c0dc37e3a16c0975a1c.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\YuQYAEMs	LccMIQEw.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\YuQYAEMs\fMwUAswo	LccMIQEw.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	fMwUAswo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
2712	reg.exe
2176	reg.exe
1448	reg.exe
688	reg.exe
772	reg.exe
2892	reg.exe
2352	reg.exe
632	reg.exe
940	reg.exe
2252	reg.exe
1052	reg.exe
2776	reg.exe
892	reg.exe
1884	reg.exe
2952	reg.exe
2580	reg.exe
2240	reg.exe
2516	reg.exe
2956	reg.exe
2260	reg.exe
2828	reg.exe
2560	reg.exe
760	reg.exe
864	reg.exe
2424	reg.exe
2256	reg.exe
2588	reg.exe
2708	reg.exe
960	reg.exe
1768	reg.exe
2500	reg.exe
2736	reg.exe
892	reg.exe
1556	reg.exe
2592	reg.exe
1092	reg.exe
2144	reg.exe
944	reg.exe
2124	reg.exe
2108	reg.exe
1580	reg.exe
2760	reg.exe
452	reg.exe
564	reg.exe
328	reg.exe
2724	reg.exe
1080	reg.exe
2752	reg.exe
772	reg.exe
3000	reg.exe
984	reg.exe
2020	reg.exe
2948	reg.exe
1936	reg.exe
1660	reg.exe
960	reg.exe
2928	reg.exe
2928	reg.exe
1368	reg.exe
1668	reg.exe
1164	reg.exe
1496	reg.exe
1368	reg.exe
3004	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3016	Process not Found
3016	Process not Found
2496	conhost.exe
2496	conhost.exe
3048	2bc932bf53710c0dc37e3a16c0975a1c.exe
3048	2bc932bf53710c0dc37e3a16c0975a1c.exe
2936	conhost.exe
2936	conhost.exe
2408	conhost.exe
2408	conhost.exe
296	conhost.exe
296	conhost.exe
2400	conhost.exe
2400	conhost.exe
2660	reg.exe
2660	reg.exe
3048	2bc932bf53710c0dc37e3a16c0975a1c.exe
3048	2bc932bf53710c0dc37e3a16c0975a1c.exe
692	2bc932bf53710c0dc37e3a16c0975a1c.exe
692	2bc932bf53710c0dc37e3a16c0975a1c.exe
2836	cmd.exe
2836	cmd.exe
1508	conhost.exe
1508	conhost.exe
2388	cmd.exe
2388	cmd.exe
944	2bc932bf53710c0dc37e3a16c0975a1c.exe
944	2bc932bf53710c0dc37e3a16c0975a1c.exe
2360	cmd.exe
2360	cmd.exe
628	2bc932bf53710c0dc37e3a16c0975a1c.exe
628	2bc932bf53710c0dc37e3a16c0975a1c.exe
2624	conhost.exe
2624	conhost.exe
3052	cmd.exe
3052	cmd.exe
2556	2bc932bf53710c0dc37e3a16c0975a1c.exe
2556	2bc932bf53710c0dc37e3a16c0975a1c.exe
1240	cmd.exe
1240	cmd.exe
2824	2bc932bf53710c0dc37e3a16c0975a1c.exe
2824	2bc932bf53710c0dc37e3a16c0975a1c.exe
2184	2bc932bf53710c0dc37e3a16c0975a1c.exe
2184	2bc932bf53710c0dc37e3a16c0975a1c.exe
3060	conhost.exe
3060	conhost.exe
1732	2bc932bf53710c0dc37e3a16c0975a1c.exe
1732	2bc932bf53710c0dc37e3a16c0975a1c.exe
2472	reg.exe
2472	reg.exe
2756	reg.exe
2756	reg.exe
2644	2bc932bf53710c0dc37e3a16c0975a1c.exe
2644	2bc932bf53710c0dc37e3a16c0975a1c.exe
240	cscript.exe
240	cscript.exe
2232	conhost.exe
2232	conhost.exe
3004	reg.exe
3004	reg.exe
2216	2bc932bf53710c0dc37e3a16c0975a1c.exe
2216	2bc932bf53710c0dc37e3a16c0975a1c.exe
2656	2bc932bf53710c0dc37e3a16c0975a1c.exe
2656	2bc932bf53710c0dc37e3a16c0975a1c.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2852	fMwUAswo.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe
2852	fMwUAswo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 2852	3016	Process not Found	918
PID 3016 wrote to memory of 2852	3016	Process not Found	918
PID 3016 wrote to memory of 2852	3016	Process not Found	918
PID 3016 wrote to memory of 2852	3016	Process not Found	918
PID 3016 wrote to memory of 1616	3016	Process not Found	917
PID 3016 wrote to memory of 1616	3016	Process not Found	917
PID 3016 wrote to memory of 1616	3016	Process not Found	917
PID 3016 wrote to memory of 1616	3016	Process not Found	917
PID 3016 wrote to memory of 2584	3016	Process not Found	916
PID 3016 wrote to memory of 2584	3016	Process not Found	916
PID 3016 wrote to memory of 2584	3016	Process not Found	916
PID 3016 wrote to memory of 2584	3016	Process not Found	916
PID 2584 wrote to memory of 2496	2584	cmd.exe	296
PID 2584 wrote to memory of 2496	2584	cmd.exe	296
PID 2584 wrote to memory of 2496	2584	cmd.exe	296
PID 2584 wrote to memory of 2496	2584	cmd.exe	296
PID 3016 wrote to memory of 2736	3016	Process not Found	914
PID 3016 wrote to memory of 2736	3016	Process not Found	914
PID 3016 wrote to memory of 2736	3016	Process not Found	914
PID 3016 wrote to memory of 2736	3016	Process not Found	914
PID 3016 wrote to memory of 2728	3016	Process not Found	913
PID 3016 wrote to memory of 2728	3016	Process not Found	913
PID 3016 wrote to memory of 2728	3016	Process not Found	913
PID 3016 wrote to memory of 2728	3016	Process not Found	913
PID 3016 wrote to memory of 2660	3016	Process not Found	911
PID 3016 wrote to memory of 2660	3016	Process not Found	911
PID 3016 wrote to memory of 2660	3016	Process not Found	911
PID 3016 wrote to memory of 2660	3016	Process not Found	911
PID 2496 wrote to memory of 2800	2496	conhost.exe	909
PID 2496 wrote to memory of 2800	2496	conhost.exe	909
PID 2496 wrote to memory of 2800	2496	conhost.exe	909
PID 2496 wrote to memory of 2800	2496	conhost.exe	909
PID 2800 wrote to memory of 3048	2800	cmd.exe	907
PID 2800 wrote to memory of 3048	2800	cmd.exe	907
PID 2800 wrote to memory of 3048	2800	cmd.exe	907
PID 2800 wrote to memory of 3048	2800	cmd.exe	907
PID 2496 wrote to memory of 2424	2496	conhost.exe	906
PID 2496 wrote to memory of 2424	2496	conhost.exe	906
PID 2496 wrote to memory of 2424	2496	conhost.exe	906
PID 2496 wrote to memory of 2424	2496	conhost.exe	906
PID 2496 wrote to memory of 1496	2496	conhost.exe	734
PID 2496 wrote to memory of 1496	2496	conhost.exe	734
PID 2496 wrote to memory of 1496	2496	conhost.exe	734
PID 2496 wrote to memory of 1496	2496	conhost.exe	734
PID 2496 wrote to memory of 3004	2496	conhost.exe	904
PID 2496 wrote to memory of 3004	2496	conhost.exe	904
PID 2496 wrote to memory of 3004	2496	conhost.exe	904
PID 2496 wrote to memory of 3004	2496	conhost.exe	904
PID 2496 wrote to memory of 2196	2496	conhost.exe	901
PID 2496 wrote to memory of 2196	2496	conhost.exe	901
PID 2496 wrote to memory of 2196	2496	conhost.exe	901
PID 2496 wrote to memory of 2196	2496	conhost.exe	901
PID 2196 wrote to memory of 2824	2196	cmd.exe	714
PID 2196 wrote to memory of 2824	2196	cmd.exe	714
PID 2196 wrote to memory of 2824	2196	cmd.exe	714
PID 2196 wrote to memory of 2824	2196	cmd.exe	714
PID 3048 wrote to memory of 2760	3048	2bc932bf53710c0dc37e3a16c0975a1c.exe	899
PID 3048 wrote to memory of 2760	3048	2bc932bf53710c0dc37e3a16c0975a1c.exe	899
PID 3048 wrote to memory of 2760	3048	2bc932bf53710c0dc37e3a16c0975a1c.exe	899
PID 3048 wrote to memory of 2760	3048	2bc932bf53710c0dc37e3a16c0975a1c.exe	899
PID 2760 wrote to memory of 2936	2760	cmd.exe	761
PID 2760 wrote to memory of 2936	2760	cmd.exe	761
PID 2760 wrote to memory of 2936	2760	cmd.exe	761
PID 2760 wrote to memory of 2936	2760	cmd.exe	761

System policy modification 1 TTPs 20 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2bc932bf53710c0dc37e3a16c0975a1c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	2bc932bf53710c0dc37e3a16c0975a1c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
"C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe"
1⤵
PID:3016

C:\ProgramData\aGcMYwYM\LccMIQEw.exe
C:\ProgramData\aGcMYwYM\LccMIQEw.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2104

C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
1⤵
PID:2496
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:1496

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2824
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:1368

C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
1⤵
PID:2936
- C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
  C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
  2⤵
  PID:2184
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2644

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:2948

C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
1⤵
PID:2408
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:792

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1872

C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
1⤵
PID:296
- C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
  C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1732

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1884

C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
1⤵
PID:2400

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2476

C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
1⤵
PID:2660
- C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
  C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
  2⤵
  PID:628
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2540
- - C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
    C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
    3⤵
    PID:1288

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1660

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1196
- C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
  C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
  2⤵
  PID:2624

C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
1⤵
PID:1508

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:940

C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
1⤵
PID:3052

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2524

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2968

C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
1⤵
PID:1240

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2360

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1740

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1916

C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
1⤵
PID:2472

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2388

C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
1⤵
PID:2756
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:960

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2020

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1984

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2748

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2828

C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
1⤵
PID:3004
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1316

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:956

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:608

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:592

C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
1⤵
PID:3012

C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
1⤵
PID:1240

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:940

C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
1⤵
PID:2844
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:1936
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1048

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2304
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2476

C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
1⤵
PID:1768
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1172
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2792
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1652

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tYkQckgA.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
1⤵
PID:2736
- C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
  C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
  2⤵
  PID:2508
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\rckYUgMY.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
    3⤵
    PID:2840
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:2468

C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
1⤵
PID:3056
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
  2⤵
  PID:2740
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\bQgkwEEk.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
  2⤵
  PID:844
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2564

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
1⤵
PID:2052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1512

C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
1⤵
PID:1528
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\WUgUccMM.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
  2⤵
  PID:1328
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2520
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1580
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:2240
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
  2⤵
  PID:1644

C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
1⤵
PID:1792
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
  2⤵
  PID:860
- - C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
    C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
    3⤵
    PID:1768
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\HYcogggY.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
      4⤵
      PID:2156
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:692
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VEUgIQMA.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
        5⤵
        
        PID:332
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:2176
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        Modifies registry key
        
        PID:1368
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        
        PID:1360
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
        5⤵
        
        PID:1640
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:3024
    - - C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2216
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:656
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\IkYgoUwk.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
  2⤵
  PID:2304
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2712
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2772
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:1832
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2688
- C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
  C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
  2⤵
  PID:2196

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1888
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2164

C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
1⤵
PID:1832

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
1⤵
PID:1732
- C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
  C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
  2⤵
  PID:1884
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\ucQYwIIo.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
    3⤵
    PID:2804

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2256

C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
1⤵
PID:1240
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2808
- - C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
    C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
    3⤵
    PID:1200
  - - C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
      C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
      4⤵
      PID:1824
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QmgoUkQA.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
        5⤵
        
        PID:1744
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        Modifies registry key
        
        PID:2560
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:1724
      - C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
        
        C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2824
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies registry key
        
        PID:3000
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
        5⤵
        
        PID:2688
- C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
  C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
  2⤵
  PID:1692

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2560

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1744
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2252

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2980

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2992

C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
1⤵
PID:960
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\IIswQoss.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
  2⤵
  PID:2728
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2548
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1368
- - C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
    C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
    3⤵
    PID:1200
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:344
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
  2⤵
  PID:2112

C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
1⤵
PID:1672
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\AIAEMUcE.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
  2⤵
  PID:2068
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1560
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2652
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:2144
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
  2⤵
  PID:108

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:812

C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
1⤵
PID:2776
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SCoQMkEk.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
  2⤵
  PID:2592
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:3012
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\CgMoooMg.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
    3⤵
    PID:2468
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:3004
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\liAMQUYI.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
      4⤵
      PID:1864
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:328
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies registry key
      PID:1080
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
      4⤵
      PID:3024
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:2708
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1932
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:2632
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
    3⤵
    PID:2832
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:2580
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1876
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
  2⤵
  PID:3000

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2492

C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
1⤵
PID:1568

C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
1⤵
PID:940

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2944
- C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
  C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
  2⤵
  PID:2628
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
    3⤵
    PID:892
  - - C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
      C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
      4⤵
      PID:1868
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\pAMwAEUo.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
    3⤵
    PID:2408
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:1660
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:1556
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:2844
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\jIcYYUww.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
    3⤵
    PID:852
  - - C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
      C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
      4⤵
      PID:2464
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:2516
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2860
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:1580
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
    3⤵
    PID:856

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1556

C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
1⤵
PID:1668
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\GSEYEcsc.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
  2⤵
  PID:2656
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\YywgMIEk.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
    3⤵
    PID:2964
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:2724
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1088
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
    3⤵
    PID:1612
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:2352
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2108
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3060
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\kGkIAkMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
    3⤵
    PID:1564
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:2964
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2820
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:2516
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
    3⤵
    PID:296
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
  2⤵
  PID:1708

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1076
- C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
  C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
  2⤵
  PID:1708
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    PID:1072
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2360
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:2256

C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
1⤵
PID:2208
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\ucYcUoAI.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2844
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\TEQcwYoU.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
    3⤵
    PID:1864
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:1984
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:960
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
    3⤵
    PID:1792
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:1092
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:2892
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1448
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
  2⤵
  PID:2540

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2272

C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
1⤵
PID:1268
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
  2⤵
  PID:1980
- - C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
    C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
    3⤵
    PID:2080
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\yYsYckIo.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
      4⤵
      PID:2880
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:1884
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        
        PID:2472
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:2516
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2860
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
        5⤵
        
        PID:2636
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:2592
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:2780
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:2780
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
      4⤵
      PID:300
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\MuoEkQEI.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
  2⤵
  PID:2148
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:2712
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2644
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\NuMoQwYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
    3⤵
    PID:1980
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:2928
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2600
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:1936
  - - C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
      C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:628
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
    3⤵
    PID:2836
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\JMYsgAQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
      4⤵
      Modifies visibility of file extensions in Explorer
      Suspicious behavior: EnumeratesProcesses
      PID:3052
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:892
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2552
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:1692
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
      4⤵
      PID:1916
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:2708

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2864

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1692
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\CIUMsAAU.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
  2⤵
  PID:1768
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\FGUcscUs.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
    3⤵
    PID:1932
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:760
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    - UAC bypass
    - Suspicious behavior: EnumeratesProcesses
    PID:2472
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\YucEIUQc.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
      4⤵
      PID:2760
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:1512
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2456
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:2724
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:2724
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
      4⤵
      PID:2288
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
    3⤵
    PID:1368
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2712
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:944
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2772
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:1668
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
  2⤵
  PID:2364

C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
1⤵
PID:2976
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1748
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
  2⤵
  PID:2944
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3056
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tSMQgsYs.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
  2⤵
  PID:844
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2088
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:452

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:816

C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
1⤵
PID:2804
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\AWgQoYQw.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
  2⤵
  PID:2072
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1100
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\YsQkMcEw.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
    3⤵
    PID:1776
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:1624
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1164
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:608
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
    3⤵
    PID:2464
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\CKMQwsws.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
      4⤵
      PID:2888
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:940
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2312
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:1760
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:984
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:2588
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2808
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
  2⤵
  PID:1200
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2788
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\mSkcQQkA.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
  2⤵
  PID:1788
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1444
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1228

C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
1⤵
PID:952
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\UWUYggUk.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
  2⤵
  PID:2660
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2788
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1568
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:452
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
  2⤵
  PID:1076

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZgAcIcgM.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
1⤵
PID:2184

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2764

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:2752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2492

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
1⤵
PID:2348

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "844305814-1259902078-1492462889-1673903143-10518438831769428589-5293528822020714067"
1⤵
PID:1100

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\emkkggEY.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
1⤵
PID:832
- C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
  C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2644

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:772

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1740

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:2952

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
1⤵
PID:2064

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FKkMQYEM.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
1⤵
PID:2976

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1824
- C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
  C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2556

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1172

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
1⤵
PID:1976

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2268

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2824
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\fOwgEoQo.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1580
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies visibility of file extensions in Explorer
  - UAC bypass
  PID:2252
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2136
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
  2⤵
  PID:2936

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1564

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "16826154201091392709-409506047-100525340412972968681095867463-355544332-345246464"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\jswEMYQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2196
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Suspicious behavior: EnumeratesProcesses
  PID:3004
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:2424
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2800

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
1⤵
PID:2808

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zeEMEgYo.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
1⤵
PID:1168

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-253635137182090824118132664518301757941957501849-3076981294245158531757516915"
1⤵
PID:1048

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1080

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:2252

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
1⤵
PID:2736
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2528
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1796

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XgwMsEMw.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
1⤵
PID:2540

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:3052
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\DoEQMkog.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
  2⤵
  PID:2984
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:816
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1496
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1900
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
  2⤵
  PID:1824
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2640

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
1⤵
PID:2512

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-86812998814592057516087194281797656151-761567383-1583521093-17621596821342972710"
1⤵
PID:2080

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2196
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2200
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2364
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1372
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - UAC bypass
  PID:2268
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
  2⤵
  PID:1976

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "127023268312994165251196497231-2522344314487019433791254491134091536366119702"
1⤵
PID:1744

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-587557615-1638179687-4252351291688251282-369323435-750721151-282976868553663357"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2624
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\DcMEAgYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
  2⤵
  PID:2688
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:2588
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:2828
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:2776
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
  2⤵
  PID:2604

C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
1⤵
PID:2072

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\veUEogII.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
1⤵
PID:2768

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2864
- C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
  C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
  2⤵
  PID:3060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1228

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2244

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1240
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\zewEQEQc.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
  2⤵
  PID:1592
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:2124
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1268
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
  2⤵
  PID:2312
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\XuUwIQYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
  2⤵
  PID:1560
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2948
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1612
- - C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
    C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
    3⤵
    PID:1832
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1832
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\YMMgssgk.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
    3⤵
    PID:240
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\BSoEMkQE.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
      4⤵
      PID:1300
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:1768
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2348
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:2320
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
      4⤵
      PID:2804
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:2740
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:1164
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:2052
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
    3⤵
    PID:1872
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
  2⤵
  PID:1076
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hyIIQMQE.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
  2⤵
  PID:1704
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1168
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:2260
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2004
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
  2⤵
  PID:1724

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HoYAUwYU.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
1⤵
PID:812

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
- Modifies registry key
PID:772

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2788

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1672

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
1⤵
PID:2660
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\GCckssgM.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
  2⤵
  - UAC bypass
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - System policy modification
  PID:2360
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2756
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1528
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2700
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
  2⤵
  - Checks whether UAC is enabled
  - System policy modification
  PID:1444

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1390339683-584284110-517884688-107717799750343818018303737701701575111-1108579218"
1⤵
PID:1776

C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
1⤵
PID:3048
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2928

C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
1⤵
PID:2628

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1324454571626897643-1004439723-15628517801677388230-54735673-7851686992032695341"
1⤵
- UAC bypass
PID:1624

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1037636225883737771-208570399912611543541111286321752113617-795449223-319683209"
1⤵
PID:2272

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2168

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1102638142-784487187409612882-827397939-1496127143-803906213-1600514261-1707040767"
1⤵
PID:1556

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KEYMQYMw.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
1⤵
PID:2968

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2500

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:892

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:2176

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
1⤵
PID:852

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1708

C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
1⤵
PID:1016
- C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
  C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
  2⤵
  - UAC bypass
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - System policy modification
  PID:692

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tSscAMYY.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
1⤵
PID:1684

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2992

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:1448

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2524

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
1⤵
PID:2996

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\dEQMswAc.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
1⤵
PID:944
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\oQkggYwI.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
  2⤵
  PID:2528
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:2760
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1724
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:856
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
  2⤵
  - UAC bypass
  - Checks whether UAC is enabled
  - System policy modification
  PID:632

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:2944

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1463315876-526759396-15205259131946521857-1326628564103268246910103303392078175587"
1⤵
- Modifies visibility of file extensions in Explorer
PID:2244

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:564

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1052

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
1⤵
PID:2264

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-16201256931916834886-1994897907-1390032093-15331248368487800461528615302-1694475327"
1⤵
- UAC bypass
PID:1884

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1764138072-1136759484-1794893830-65316438976515730-136898231044889575471656276"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1876

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-10334847313195623943024877441317195911-7450105071572936282840817445-572671683"
1⤵
PID:2540

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cmEIsYcU.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
1⤵
PID:3048
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\jwQQgoYA.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
  2⤵
  PID:2056
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:688
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1712
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - UAC bypass
  PID:2808
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
  2⤵
  PID:1016

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:328

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:2956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:656

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
1⤵
PID:1156

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1788
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2724

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "6330014621827580381-10937933621449179030-333388302-14168068344741915891817739391"
1⤵
PID:2768

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-214320454661891768011562072041711633732-1665230745-254775547758737631-954104611"
1⤵
PID:2508

C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2184
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\swogAcko.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
  2⤵
  PID:1280
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2148
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2764
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2492
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
  2⤵
  PID:2864

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1560
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2064

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\AoQMEUME.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
1⤵
PID:1300

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1652

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:2524

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
1⤵
PID:1372

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "831085288-902128952-9180662994160923132409890511849519211410102757-135771274"
1⤵
PID:860

C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
1⤵
PID:1584

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:2504

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:1052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:1268

C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
1⤵
PID:2804
- C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
  C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
  2⤵
  PID:2232

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2640

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-15482759211071956462-1451453672-149762313313282724381137067490-148526799-1447963436"
1⤵
PID:812

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "808946943102804772115103734681471454-10460487731121475630-514858651440267143"
1⤵
PID:1868

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-5194187001930361227-1148680325-1709109911671205637976352518-1305854652563020309"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1052

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1820
- C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
  C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
  2⤵
  PID:2388

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-14679545531838025955-6192627021807719632118102521-353087218-1740043036-1867042766"
1⤵
- Modifies visibility of file extensions in Explorer
PID:2780

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2332

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "4833039247824491631164583298-2569627041193946337-1497340164-12738381742041232797"
1⤵
- UAC bypass
PID:2948

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1002208273-2081693089-102864270-2101537589-1585776911-149450800045702888611402406"
1⤵
PID:1684

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KCkQYgQg.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
1⤵
PID:2364

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2600

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:760

C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2656

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
1⤵
PID:2488

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "9494614631138907590-20414857086779424201170151097-10127717051179096140426850076"
1⤵
- UAC bypass
PID:2992

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\beAgggMI.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
1⤵
PID:2484

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- UAC bypass
PID:1560

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
1⤵
PID:2964

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "930404287529732222010360213207897200-1373242847-758448674-1585855323-1182369134"
1⤵
PID:2652

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1773688528361330830-197170648218575503391280241407646663171138596691443097669"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1508
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lYAUYoYI.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
  2⤵
  PID:3004
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:2636
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2516
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - UAC bypass
  - Modifies registry key
  PID:2500
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
  2⤵
  PID:1820

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1656729179-379201882-12716199491488393306-1380284154-687119539-700572108-1412315573"
1⤵
- Modifies visibility of file extensions in Explorer
PID:452

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1983755899-7675610401032135354-173335371472055850-1784539199-289104448-3782270"
1⤵
- UAC bypass
PID:1880

C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
1⤵
PID:240

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\dkwAoMUc.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
1⤵
PID:1532

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2360
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\IKQUQwww.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
  2⤵
  PID:1888
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:952
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1344
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1812
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1936

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-68523979745103614918069985-2110762824-15324995804789931177064012-1052599911"
1⤵
PID:2332

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:632
- C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
  C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
  2⤵
  PID:2360

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
1⤵
PID:832

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "8077951891363012067-290613047-10020754101430035608-818409685-13974192-1877470216"
1⤵
PID:2888

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-9033710921042594771454048496-1119465282-295021133-1183011591932583935-1268652656"
1⤵
- UAC bypass
PID:2788

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uWoYgsMw.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
1⤵
PID:2924

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:864

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "483449339-221179909121608151153471739613231025755682414-1228950032-375114717"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2400
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\EessAsYo.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
  2⤵
  PID:2568
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:2804
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2544
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - UAC bypass
  PID:2516
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
  2⤵
  PID:2736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:2108

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:2968

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:1080

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2604

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-223590023-1169877127116621109620263356871553650354552699892-906698333-2034677864"
1⤵
- UAC bypass
PID:2560

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-174374946072506376-1239651291-1674301106-459684198-1673423020-909107089547600357"
1⤵
- UAC bypass
PID:940

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "894298492-4147288053044708032113554266-1285825751650643924-1361301606-820621478"
1⤵
PID:1872

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-18531652491060199131156588035-672881725627612322-267047158-2102368514520403135"
1⤵
PID:300

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-805014090-12549972481800432919324721083-1399811154-29018424349124741-718159013"
1⤵
- Modifies visibility of file extensions in Explorer
PID:960

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2113675083551645421275354073-1110376464-1005040934203606006809629325368301730"
1⤵
PID:564

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "908652141-9481701949343940938885848721377214911855662322-182402565-739554056"
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:1512

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\dMIMIkUg.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
1⤵
PID:2456

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:2060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2288

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:1284

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
1⤵
PID:1608

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1870200208-910841064-16142550724275169231018286582462491319-1467581295-201582502"
1⤵
PID:2464

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "18438728941923715206-13984924151526030597810475601-270313868740130152-1489116201"
1⤵
PID:2792

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1067649001-7660515438144221113040250099610521287733524641799971808-1795990462"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1672

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "20331976801097949286-725872729675389871-2788656201832617381363017299883126274"
1⤵
PID:2312

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1088142334-1169163931985095271-857565507-619577218-1963600090336011087-348346170"
1⤵
PID:1164

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-168928890917209207801353889619-13649078641322199868657426590196513278748784400"
1⤵
PID:2468

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-419882042344254280-2119223919-156551567212489637522521333204252094001668211184"
1⤵
- Modifies visibility of file extensions in Explorer
- Suspicious behavior: EnumeratesProcesses
PID:3060

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wOYMIYoA.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
1⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:2148

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1640472141602877715-1786654847-2109912787-285224332-8709611909257856871263832197"
1⤵
- UAC bypass
PID:2864

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:2548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:276

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:2928

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
1⤵
PID:1196

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-91062487818838872178757511331974406381439666674-1181674176-787203397-165008020"
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:760

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "19240609-143091452515184471681845908269258484406-456875171-4542228231850553452"
1⤵
PID:1372

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-7398028641767220385-1555459333-1957905904-1197108685-1157134786-780335719-815459307"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2936
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\PoMcggAI.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1172
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:540
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2256
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2564
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2836

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "4540682002094362490-482736131784802510-1029066291-2933471416458767701285290888"
1⤵
- UAC bypass
PID:1536

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1573479041459000722-952461879-1264488890-241182085-12120982956045236161816434220"
1⤵
- UAC bypass
PID:1168

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "298510823-1581991600170488441819418963861579424352-9724991154162933494795061"
1⤵
PID:592

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "733887617-1985481996180542673795841805-1573695868-13963082901599599030-1517202788"
1⤵
PID:1156

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2288

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "405711656-1019146188-1232129071420735769151204080-58824501-20463036211980636704"
1⤵
PID:2064

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uusMsksk.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
1⤵
PID:2924

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1228

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1162639899141113957-1132900867-7980395-17177932821219380324-1124753570-1923590533"
1⤵
PID:2996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:1628

C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:944

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1462380455-9501082321784885286313005595-480305399-82591877941687024-274701585"
1⤵
PID:2840

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
1⤵
PID:1664

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1640777721-2139450786968370805247136263-60334239677036815-1785111297670961977"
1⤵
- UAC bypass
PID:956

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1785118158-1425725236-1532346640-2674599141644279862-1765080415-1794225348-341735249"
1⤵
PID:2820

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-20124516249846858812041641440951115417-2080563593-13367476241874419914855371437"
1⤵
PID:2484

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "281842042-2650000611250544075-111091436-966244683-1898427722-554193608-394183453"
1⤵
PID:2476

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1838383300-5286021247913195092106142298-637307837-515600683-9836316781465950662"
1⤵
- UAC bypass
PID:2764

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "5997472311947268777-1539991607-34094986-464932257-1137882840-11646525921334064181"
1⤵
PID:1592

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "22502034518418998441932600278-946264736-387785356990820775105181895814067177"
1⤵
PID:2748

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-282909104-1970723721307361220-1492626041-2050230621-303490932-394805174-1455018394"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:296
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\WqUMskcg.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
  2⤵
  - UAC bypass
  - Checks whether UAC is enabled
  - System policy modification
  PID:3056
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:2200
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies visibility of file extensions in Explorer
  - UAC bypass
  PID:2928
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - UAC bypass
  - Modifies registry key
  PID:892
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2388

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1893600223-56124070711802237601660442005-1197204894-618009890215184442098849569"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2232

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "5433003362049081106-718436284-12194032371711306494-10902857192054449375-1724605757"
1⤵
- Modifies visibility of file extensions in Explorer
PID:2136

C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
1⤵
PID:2836

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-8306480011202752893-23029934310899106517951381051630515152201500125816762309"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2408
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YwYIwAcU.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
  2⤵
  PID:1896
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:2020
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2088
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1360
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
  2⤵
  - UAC bypass
  - Checks whether UAC is enabled
  - System policy modification
  PID:1824

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:240

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "9148147881275626966387059991-1978696729-1574725877-1071748022635849714817731783"
1⤵
PID:1792

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-14045284421055896013-113554035-1671565301-343084591-191948570-1040255188-848591456"
1⤵
PID:832

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "107780955064499809136890931114283676916439556861307734602528861975157597121"
1⤵
PID:1328

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-16413473169753521931793207329-1881841269-1028645688162512687515184487781049566336"
1⤵
PID:1440

C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
1⤵
PID:3048
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\juMUMUIU.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
  2⤵
  PID:2168
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - UAC bypass
  - Suspicious behavior: EnumeratesProcesses
  PID:2756
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2956
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
  2⤵
  - UAC bypass
  - Checks whether UAC is enabled
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2760

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\akogMMAI.bat" "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe""
1⤵
PID:2772

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:2520

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-4263350282549628801406651193971625132-449377086-81267580-265031386-400912329"
1⤵
PID:1076

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-13568376202033669178744604997637843665-1217965256-80153048859825138-920684144"
1⤵
- UAC bypass
PID:2712

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "19750639774295010282120427842-78133009313492916278123089921554186770-574250825"
1⤵
- UAC bypass
PID:1768

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-15697453-199092402815751240731746102508943317553632830765-528512334805026422"
1⤵
- UAC bypass
PID:2964

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "9951900326291574571447034197201646791-1185034437-1909511299-1807466108-195422401"
1⤵
PID:2156

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-685839866-1960344398526191987-1335107753-688286605-1244285634-1312384746586881393"
1⤵
- UAC bypass
PID:1984

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2010170250-1432428743-534759920464240081-32975405018060974571334702084209612391"
1⤵
PID:1932

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "21168678391524728808-10127247-181473916-1154527737-9929655231508069001814973330"
1⤵
- Modifies visibility of file extensions in Explorer
PID:344

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1383580499-14309554999157836681933298102262828081442117745-104943481-1449270435"
1⤵
PID:2164

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1896873551-638939786-14778463861427367028-56274420-435019995-799029994-1466125707"
1⤵
PID:844

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2075448355-1421778676-374236871-1683261381-1409605374628512354-1491997271071942768"
1⤵
PID:792

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1867765826148323816415135128-895439591-1378507678-2135158761-1006889679-1862365015"
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:2724

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1273282956-1451555462-3424807621248270092-1642638985884159750-250660599-405799512"
1⤵
PID:1980

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1676

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-160166505715516531-1302701212802853291521593355-10302728872046763768-468836922"
1⤵
PID:1316

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2102146825-111572285-1075034790-524792453-9515032811379254834-17823239122112176442"
1⤵
PID:2984

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1316145772336574242-8102169451886274761345900672-1063694022531001288804314"
1⤵
- UAC bypass
PID:864

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2136155110-14926536871779617921958575356-895780688042834918871886221965205125"
1⤵
PID:2456

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "306107383-1108112843-1984928376-849356465-2039172223-37936916521032499341956799292"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1448

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-362837235111286939117744019136390430882007839162-1112092539275455863772847306"
1⤵
- Modifies visibility of file extensions in Explorer
PID:2952

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1107298247370773641-1139441001544075010-1167588566-1615609581-15589596521620881927"
1⤵
- UAC bypass
PID:816

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2080885206-1722832230-1140545911586061126209605866112199834651930723045-1946586500"
1⤵
- Modifies visibility of file extensions in Explorer
PID:3000

C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c.exe
C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3048

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "461029303-3189516349075494956166649-17572715631257357912-2109414441-2031957472"
1⤵
- Modifies visibility of file extensions in Explorer
PID:2700

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-37547288090404409933522211316559215341254894996-69780831889954887286306171"
1⤵
- Modifies visibility of file extensions in Explorer
PID:2688

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
- Suspicious behavior: EnumeratesProcesses
PID:2660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2728

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2736

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "61811081-16471760597971256201508369009-353254757299507193-726038845-1843145225"
1⤵
- UAC bypass
PID:2740

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c"
1⤵
- Suspicious use of WriteProcessMemory
PID:2584

C:\ProgramData\AOoMwwAg\bIEEIkAE.exe
"C:\ProgramData\AOoMwwAg\bIEEIkAE.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1616

C:\Users\Admin\YuQYAEMs\fMwUAswo.exe
"C:\Users\Admin\YuQYAEMs\fMwUAswo.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AOoMwwAg\bIEEIkAE.exe

Filesize
92KB

MD5
1f55cd85b595f587b9449a0828e74171

SHA1
7a86054125c6ce8dcf697407a618818d92037a58

SHA256
d2428b612af5f6145530eb7e1cf682b83ff20a6aada564777504deeb3426232a

SHA512
d579b14d43e9793597daae4152906f4ee36dc6fcf6b5c010198d7ad40d443b729209ccfbc9d206d8d84a484d1e931674b2fd3f21e714e87804312c66d71cd356

Download Submit
C:\ProgramData\AOoMwwAg\bIEEIkAE.exe

Filesize
94KB

MD5
2f5cc14c1e639eb8dc1dd13cf2f1e672

SHA1
71b59f0ab6cbcc1188ac941d9e97080548b79d6b

SHA256
43ade9c82a4151d5a69d14a4a378c126e0356e528ab184c4fd8d02d832d84a6a

SHA512
1f0c1108622c0da3e3082cf9310ce73aec821f965106d7ef648a1716ebd9a3da4a83d3045ce7d3845148c0b357d428350cc03fd432bc4dd323a9907c1296d216

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

Filesize
561KB

MD5
dba6ff4b50f70c7cc4dd31e5e6d92b14

SHA1
15d5b9f320865a4862fa32c92ac209843a8ebacd

SHA256
fe750a0343e8dc0907a757b16874e0ddff75cb6289c4ffe7b2405701557f2f53

SHA512
164050bc568094a08c65fa930a869bcda03e126c6b96e2663e4a3aff6adb887e69b4f991fc30804b9034360f822e56d1e2a38300fca94c7e560db8f7e6747206

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

Filesize
561KB

MD5
30021e15232b839369f67d7137522a8b

SHA1
48152fe398ec98a58eb833a7733707991a4b3a84

SHA256
d01f1cd55193b2f716770ea470708c12e2382b833f0337ea55e3d6f9efa988aa

SHA512
47e2461d4e44f64ab4262e13394e6b6bf90239984d6a86997cab2bcddac729f5fc7e2175e44708d6b75fb7ae5cafd2faf74be28ccc4da2c03609edfccadf9ef1

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

Filesize
479KB

MD5
6b52d7456107652b4c886d30dab4f1bd

SHA1
4a6ec3298695b7dbe3c969fcaf003fd7d22716a4

SHA256
44f5cabfa53ba7bff0b62fa6b6772774f3d45ce97ab1299866840fda51781d24

SHA512
0a2c5b26d473157c70318472b34c9bb47d640d7c835a8069e3c763364b4a83330bb4a9f498e9fa665dfad8b84d0cba04ca7609e7cc8fb3ac15f71092b9b9ed02

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

Filesize
479KB

MD5
9cc7cd25c5cf5e11c5a87b5f19d0fee4

SHA1
72f0c75c5169acc18c55d7b3b0e9cde26622afe9

SHA256
86c8617b8957e1ccf588a87ad1cff97bce35ce4b8c626d99d2e49a5178008c30

SHA512
7ea9f0ef3868269db7b9677597c73188555adb25406b6472263d63e876fbbb287546dd22fa2470090f696585477152207e4e2e87385255f06479dacfdffeb301

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

Filesize
462KB

MD5
d2d68a921cb613402ef3ee9922545c9d

SHA1
c4416aaa552cfab83af8b484e0014df6cdb0b63c

SHA256
6eee677b910c314ceb2cc28fc38cacbcccd3984edf3a4dd264df4afbe23d77a2

SHA512
4c03dae1c8afc5cb4e39eaa0b4cfe3ff125dc318836b6893afb2843fd856965f176e0c571676928a9a3167a97728efcedfe26d0c69af1e32663f0c8f521b3d8c

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

Filesize
474KB

MD5
fd3f12a4c3cccebacac8233a6522f3c7

SHA1
932b6577984079d180341fe5444b1e6af6096d83

SHA256
7ae3fab58a6af7e93a79e75363698a4c632b930f20eac193ff2ff90b5f5cd2be

SHA512
836dca9ee22ca7607dede078b445869ec9dcc2c7a3f1250020c2f881436e8645b6d52b7bb87cbc35eb135e0d513ae897fc382994fa462d3ac9b61f4c8c609602

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp.exe

Filesize
483KB

MD5
ca4f970bafe28c2c0cf0f97ad82dac78

SHA1
5b3a81f23e1f1895351f72ab9c465f3a6857e09c

SHA256
dcfd4e77ad54d0bde5517c874d9de47cf37c39d9a1d292ba7201e0735fbd4a80

SHA512
b47730a8aef089e7e2aa101557e61c585174241ff966657f4c40661c79de0bdd42ed69b0cf9beac12a9c6d92c5ae2ebada2c3b6c765b1c75a3bc24093db5ef80

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp.exe

Filesize
483KB

MD5
d7593fb0d144a96387c07937e219fb9b

SHA1
4c40fd28f93aa21a4f4531db341418c7683d1ae8

SHA256
8ecf20f3797870051ce123ae7363a24f0e2fcbbce5f4df11a1e4b257652ef598

SHA512
3a08e349ead1c63223941b5a7dcde57d3032600301bca7ac541f6755fe862166fd6ff9a60cbb5836f7407e9eedb5929067792c20702372c9605c38aa70bf51ba

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp.exe

Filesize
480KB

MD5
b9a89a703025efccbcbd15b60a269a4a

SHA1
4181762d9b4cdf349534231cc3a2526b70660de9

SHA256
b074eda2ccc1d5d120a7c90f5969113e27204cc4eff05e27814fe0f6864db3e7

SHA512
229ca98371c9144c5f59c24447001c09eb8ee57ef242ead36c17b2defbe16c1a5aee5ad31c5295b39d9cd85118b893313a32ce3fcf1ce7b5c0c45424d4594b01

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp.exe

Filesize
480KB

MD5
27b06a7596c33a03819561d27488bd77

SHA1
aaedc47ded866e86e6a6939822e5d660a25c687f

SHA256
3e1569deaea024c533509118fd0dc33d1abb0450d273b5b3db1279410f5c9668

SHA512
934d150b641db36a9a13b41a2daec5f75a6556b7bd7dca8c428d01abf20976984729a286d394a413938e13988dbeb48dad9f032e86db39cbf88c5f57be8e4add

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.exe

Filesize
484KB

MD5
163cb1ed51d45bc51540190d1d0fe660

SHA1
6201460c81e93f83ae69cdea29a9d50d8e059d91

SHA256
e82d5180b928c284bc20b8f4ae004e22c49ef26dde57fc95a655936ad61f9756

SHA512
d6f74878a1b0695d82f63b0f19dade10d9f20f59b2d05c0b6c171285fe69f00e4d99972dd17bad36300075b441c0aa21a231c4c5ca5daeb8a3376d693e7adf0d

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.exe

Filesize
476KB

MD5
14025118df18bd8068424cf696890c30

SHA1
8dc4268195350f0eaedf5b3a99c495c13816d3ab

SHA256
025f902a3a255322fea69e8a83a4e5fd08895cbbf05279efe7135bcbe016844d

SHA512
3e9434ec424fe8b52a49995d909ce68ab939f2972e1391fc1edb4fd5515b9c26b7c6e2942ba09d7bfa7ed62f22be153f556678144b04baf7f63e34696876f262

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp.exe

Filesize
480KB

MD5
6bd3dbb399f5329cfae991a1fc0c0e8e

SHA1
7189aaabec7f83718abbbf6a4c338a50b5df35f5

SHA256
6708215065afd749d00ace88394afa6efa680bd019a545494927e2676a9c2621

SHA512
602853dbc3a837ba9a63a367bff46b66e0b8bdabe009af072a3b2067ba24d7c7ab2e595caa404e6b38cf12fc1aa605ac981e3ac7de8002108788116f20c1ba55

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp.exe

Filesize
479KB

MD5
a00ffeb5d8c0f5944156613d10afa737

SHA1
b6aaa2e24e6846b5a51b67c9828834fe700b371d

SHA256
9219515b0d92a5f23ead69e4b5e0686f216300c511290c9138301009ae395f4c

SHA512
4d03a3c9f468f2f8784f1c0dd9c9b0d794954675a07ffe4651d9a4f941905f4ccae8198d901d93454cd6b86fd8baa7aaf39bb8f38c5aa0ef9ad17d7910a103a7

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp.exe

Filesize
481KB

MD5
0d40570a8450ac2a0127c10145367255

SHA1
703193cc1415b31bf00382a00b81ccf4247c2a84

SHA256
f3ba0f33cd5f5630a863afa1310243b85e1560c6e3498dae47267c8becbd8afb

SHA512
248aa8f2b37f1a9472ec435683231e10848966d74c8b35aea9df71c652db675a8f170d793134ed4cc2a2dda8b32c9e3d006357c26975cbe1414af04805f29eea

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp.exe

Filesize
482KB

MD5
895abe9f5054d3066b2ef9446747a0b8

SHA1
707880d3bd7b149faf06bc1b9f2cf7364e3f5bf6

SHA256
d453b8720f63278659bdb30e1a6c116042307a887d1b3bbead4de28caad8927f

SHA512
cd02e724af393d5a48f95a344d364f475a46110f739a3fe35ecae753a18f80c0c0c9f01b15449f278ddb228b07537d73fb8025208504e486b3b7d5de899bd487

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.exe

Filesize
483KB

MD5
96ad49c3e3fa14123b4fce2711365160

SHA1
180102979e40bbecde2785a248ec50ca69bbb131

SHA256
faffafb8a00ae15244d53bcd180d2f83621dddf37e63e8d07d79661476b216a0

SHA512
6c82f25cd4293d38605b67205042a529b18d9b1d70bd6671e6429dff32773bf88497f3115fc75f2fc665054cf688b101d8b7674f948c92e011b87c620b008935

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp.exe

Filesize
479KB

MD5
0651d56bdff5ba2fcb2560077fcc164c

SHA1
c8deccaa61c138316d52040f962ca66dea4eae86

SHA256
c124a71f7c632b48013e43233cdd5911d294573166ba2a337bce6377604c5589

SHA512
ff454f34c265a21606df3fcd3080da3138f38efaa2d86fe3ccbc98640f937c5749943ffe35b00eab99e00f05092978b05861c6c6cb1b5cc3b1d12a27051e80c7

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.exe

Filesize
478KB

MD5
070de7a3df5a031d6d5002da199e430b

SHA1
99c930cdb46530c3aa060db886f54aa43164f3a2

SHA256
044d39bbdcbaedf0cfc8f9f83e01ecca4f5345ad58fc81b93a5a4b82809e8f7b

SHA512
acc0d4d46d4dd1e2c260a746e1e3ab208431a3b4a40b06fb8f158f73d7e683e45b0263f0d3ee9ff73cb3f573b4868a6d93ac4a9b7b25b320ed81305620c21a85

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe

Filesize
480KB

MD5
4519836130724a279efedc3d5b083e4e

SHA1
8c01098384ea94bbaea4e2fcd11c62f9ffd3e626

SHA256
9b16dfafae0f264abd26af109402eb882ffaa90faec7d70080676f7d3b23ef81

SHA512
bafcf5f5f15f9efa6f910bbf76bdc37c6ef3d0e94d916cff9270811b8d5d0833f45bd815247db5d7717b91a4ce97029959f8312b782bd7c15c708ef9f59f6f18

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
884KB

MD5
9c7275d03d6b6f5ac707047155d115b8

SHA1
64b44781855442ebb55716cbabca30080f9cea87

SHA256
7ffb785e37f764815b85f32e71417c6ec9d81600048d016178c0dbe3c39db067

SHA512
ad074828abba51997a8b96bdbd4aeaf9b6ebb2f97f467f2003e9e104db1a7905ccec02b0228d451a87508af8d39c74c62a74182ba6009f4761ec0cf1b7f9f5ae

Download Submit
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

Filesize
888KB

MD5
a196af6e560d4ae8af75970e37be3ce9

SHA1
ff07ad4c53572b13c023271b8fb9033e9acd349d

SHA256
b3129579c1a805ae107dc66ed037cafbddb49a7f4f2ece458dc2dbec3872e645

SHA512
a3129998a715fad28fb41c2e1a74bda729f990278f526701693a31da9deadb9afd2f286b45dc09e677bb5300a41c52cf085b5e98f1c96dbd2aaa6c8c397cee61

Download Submit
C:\ProgramData\aGcMYwYM\LccMIQEw.exe

Filesize
94KB

MD5
6e83f1a1d8ea7e647e8a666114637f4a

SHA1
7aa4fa93d36871170f2cc3ffc80abd29458aab1e

SHA256
7e67324a0de215c56b4f6550e6d5f9e32536b671f843c1c6577f3315056c8fc8

SHA512
07ddae3f3861906c43f82e23c6b4c518a367693ee299b5ea4e38c9d64f02b34bcedcb503bcb7726f7b8843bd99ad9ca4725c5049ab8c0491e863ddd45f268372

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\64.png.exe

Filesize
436KB

MD5
01e96fc8a5122588ecbf89890fb036ad

SHA1
d28f24bfa80c14ea48e6964003509f04434c2af1

SHA256
cadae9b256b1e0dc69e599c2bcd408e40fd11889e4ddc4807b49ff27b6c58287

SHA512
825d4d1488f0f01603c965280319680b52fc658b2bf1f27f349a8b55eca5a20f06b95149bbb2ff33ee2b9ef3aac38c317e8e7164ea16f505bbaf915f41ef7618

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\96.png.exe

Filesize
442KB

MD5
018811b881885c000053d26fefa00795

SHA1
4ecb04883d817b312f19ccc2468c30a69131aff2

SHA256
5e8f6439573d8881b2bc0ca33481cbd4a0d5dbca3c292b1cc79159e658223a88

SHA512
2466cb33630fe343df9d27b17e9b2e6bd62a5e0050dcdbb4b1ad646dfff96cdf9384313118cf3e21ba8f947895d042f1b98f131b3cb0d05da63850396cb69f1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2bc932bf53710c0dc37e3a16c0975a1c

Filesize
28KB

MD5
1f93b502e78190a2f496c2d9558e069d

SHA1
6ae6249493d36682270c0d5e3eb3c472fdd2766e

SHA256
5c5b0de42d55486ed61dd3a6e96ab09f467bb38ae39fced97adc51ba07426c0e

SHA512
cf07724c203a82c9f202d53f63ea00ab0df2f97484bd3b9abe1a001f2e531f505ddd4ff8f2d5a2769dd9d2d60e9c1d03dd3ab5143542688f944cfd35c6f1cdf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIgI.exe

Filesize
484KB

MD5
4f6e9193a1209cf316612089fe03dc70

SHA1
caef96ebe0efe503c48af4102bd14cc1e22c5b5e

SHA256
6a50fcd8d541fb498e9dfc94be0c130eeb48055f07d5243cce7ecbbf7d22d880

SHA512
d2ab07ee7f24156b660ff879ea2bdabb2e3726085a26356ad9652b0baf5897a7bdfe591237aee1909250a6adc85891a1e12c50bac5573301ffe503f35c9e69a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMke.exe

Filesize
802KB

MD5
7d71549846bc57628a1408c47d2a148a

SHA1
92d65a4a3921c76738c9df7a815d2d732d88491c

SHA256
4e502f7ede3c64ffa8ef36e624a013226d339f25ac2095ceed4f9f3c01119aac

SHA512
48731b249f789dbcf3dd9e09c45362e76e96c73b8a06422d7f395ce2e99593ae4d21eb7f17353360f3aaeb27183357a35e519991474ecd6b62718e64c4aae0df

Download Submit
C:\Users\Admin\AppData\Local\Temp\AOwkskgI.bat

Filesize
4B

MD5
d51b1fef48e33c3c64b42a688574df77

SHA1
2e62da4e6a8516d4a382a7a9ce774a44132c251f

SHA256
96dc489f34b7993e0c2590f0c017a12bee8c47ece3eadaabb43d263a0de98bcc

SHA512
588acd04f3deef0833631290d9dc0433768b561eb69fad433a27516e1f0e7a3de4850169e898e22e9e7a341f7010b6076e232e5ca211d4093557ec275ed1ebb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\AekMMQgM.bat

Filesize
4B

MD5
0794ba846c0a79679d1944f5d838f77d

SHA1
261d8c679a00dff8cf6d4e088b76e79febce1ec7

SHA256
583f6e0d219de185b22031117542ec7a626a45bc2e713a2ad05ed8c6320af6a2

SHA512
f18c4ec2f3ceed91205395fa8acc2576e47f406c34b1aab17ae657cb9927018986d9c08706e222f54b59c92cf8229996f9fc40d3ba5267c2ba457194bf9cd8cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\AgEM.exe

Filesize
435KB

MD5
2cb62ffcd077134c424affbeefd3da37

SHA1
83c7d09153eebb50f82cb3933f2d8d5d1fa91bd5

SHA256
ec73fa152cb7d1ace39a768c97be52d5ba4a7859d562625fd864a69bf752ebdf

SHA512
bab0321eae32eb7696efd142e8b64157a11665992dc449b060e26dfe169325de9200b2acde8e577f6954e5c84146d400e1b197be92afa6cf456d037e1d21b5f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAwG.exe

Filesize
1.2MB

MD5
6b8b0f34c377ae0adaa3e4010117ed1e

SHA1
eb54312202a4063ef9412f0bbc8d0ad02f01a089

SHA256
d6be9b8af7a34900246dc5d5b5a1ec4de7d2fc3044e33d1c33bb7f5ed72ac477

SHA512
59d033fad497247a7ee0ed7e8fb8f30df534cf28ddfb1f78ad4d341a3c1f171a69b0f8825004753983cb23454cfe13cf08f4cc35a13b26abbe486dc6228707ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMUA.exe

Filesize
435KB

MD5
91d5afb14240b1e0c94f8a27d6b9fcf7

SHA1
ae484fe4c253735fc63eb2e67a74939f48bbfac5

SHA256
95c62445c46757438f96921d6910d6b36b73df0244fddc5a4074f43fd3942f49

SHA512
997786cda783dd349a3653143b6a4c289055ae82b46a3b9cd9338dfbb6b8e9c2ac48bf5f6c849e9838e70f915978375ee60e607a6c9f164d5dd529359d25e58c

Download Submit
C:\Users\Admin\AppData\Local\Temp\COUgYUkc.bat

Filesize
4B

MD5
8278fde2f677e8837b98fe616953d67d

SHA1
53537ee0638e3a42e7569645542bbf4593228f6c

SHA256
e5f9e8b2b6e9bebefed57627971d2d170bcb9474c55903f0a67139431787cd4a

SHA512
e86a4811340a9e12e479b917963719ca65896ede40b93267db9c186ebc2fc7a09c65db98aad276d7f9f8c6ecb4cc14872aedbf16b82db793875b1cf6ac9c29f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYEg.exe

Filesize
481KB

MD5
f8e62ea1aadc26265f8906928e9b8143

SHA1
c5810f644548fe4c2a06b30cb794d0976488825f

SHA256
818b7d0424ac52c72155c8280d99e51c1d2db12607c058852b21a9739a2c8342

SHA512
22a5795e9010b9172fcba2d30d6498de055a5a3c8514b834570758136033abe6fc3633467e98a0cc14e1a3ae883e4bebd3111696ccf982bfed7a2dd77937c942

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cckw.exe

Filesize
480KB

MD5
c58fe7b522806151aac979b3ded2d2b5

SHA1
05aecddb1831bf0fae5d0e38f976c6121152103b

SHA256
32e1adb3859dbec9dce47d2f0d05de0a4e38cab9ddd574339bdf379eead93493

SHA512
d12be369ee89c700e4cbd33566668f961132e0e5bc55e0e70b6b7ff0ce137e16b51321b2c9fab746614fdb9297d1ea411cdda63ea2307adf76066ce0c069bad6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cgwk.exe

Filesize
562KB

MD5
17a8b86f79d0e74437a70c52d284dcec

SHA1
29d4392093643f60aa8e2540de46793094a568a4

SHA256
95c89a540f2d359d153598f764523e2bd5c8841e03a3dbc350b41d20f4b948ee

SHA512
cfcd326b5e45606183ee0605c1024a583a56cd780a844e8dd15b9b482d39b1e32d00463b1b93e4cb2012ce1e89d050edf99b90d0e1ae13fe551f41244cd2906b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CsEs.exe

Filesize
4.3MB

MD5
ab926ddefdf5de8b3b497fbc9599c2d9

SHA1
78bb82030ba5d9aaa8bde7a431842d11b4887583

SHA256
a62e95ad51fd41c4688e17a10778b59507e93f8520facca71cac66f2189eee2f

SHA512
a6f222ef934e3363e561affbf31314fa8a75b6b8218167a0e1757c9f4841e19c89b86ff0f9d4fbacb8372f8f2ac5263b033feb2f086d16c652d5100392c6b1c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CsMAwkgY.bat

Filesize
4B

MD5
0b5b93060a5c614858932654a9048be9

SHA1
3eb03ddf18c6c2786bcb6df7c47c7ce27fbe6ae9

SHA256
42b6de4aa02fc227d6aa906c42ce135620c263929fe4916d9f6ed3ef323eeff6

SHA512
4140d9834b199d0f02987541686779db234dc78bec3a66cd813407636b4a32b54e8a86ebccfcc872e66ce3e241e219a3c7d9c9f600432f8fa15bc0774284dc8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CwEUUoMw.bat

Filesize
4B

MD5
3ce116a8b482dffd6497603ac21f0121

SHA1
57024ab52680ddcda21368a5b709366b7b3eddf9

SHA256
eb5cfbd83e61c2d5c911912962b85ab288cbcc2c8c1ee28b7ac2cab9b58569c2

SHA512
620b70d19e2f74fe97c4e8f805244e329768050cb952716ab25e4b4304b1f91cafb7f63ff6688c615b09e3256a9ef3f1268273fd6bb8482be877f961ba7c3a66

Download Submit
C:\Users\Admin\AppData\Local\Temp\DUUYAQII.bat

Filesize
4B

MD5
a7dd77e86488930be860cb1fe6cd45ac

SHA1
1aeafdf0f3c29ae3b27161dfe6e747b7603dcf40

SHA256
20369eb767e3e43f00801f577f66c4900c34bdcf0a63fe9060e52206c4f9d080

SHA512
e90b2a5018784bc5a19b5eaf81cb6d708cca416c4379069a2a788bf4fdd57571e5bcffc8ef150345ad5865d8dbff91ce9b88b52cf530eea87c9ef889dfe62c22

Download Submit
C:\Users\Admin\AppData\Local\Temp\DqgcUQEA.bat

Filesize
4B

MD5
84d78985cb58f8f2fe7084846cf0a8d6

SHA1
1c7b0e3923c59722624e52d6e4535e513ac7113d

SHA256
34e8dbc813ed4eec7c1d8566434450ead447f951811bba083775d68a705a2f29

SHA512
1429782331765297e18c5c87d895306e7e327a7a49f2bfff57bb06fd588e3655ccee54c0e8095c1679dfe5de63e7c17a47ce91e8f1bedd19f7580f49967335d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEUA.exe

Filesize
479KB

MD5
48abd6e4aaa9ace7ea00fdfe8b5f3c41

SHA1
014fc35c91a07ca484a03991712331ab050aeed7

SHA256
0002705917ff5efb0074cb0fb472aa755f49d78141557196dfa044ea1f417a4a

SHA512
c2c8e57b3ed8e28e121a4885f65c66433fbd0860f8d10eba5eab229fd1f1de2bb89c94409a63727fa6f612ea0e2ed5e4e38a599bbc39de870923f314da0d0d1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EGYIkIkw.bat

Filesize
4B

MD5
bef0f4655458133b6632c8dc1cb8d650

SHA1
c643712ddcd62b8e91c5747c89d96e6b08e40321

SHA256
2564b3508eb6786d00765bc6ffd62b5eafa9aa3fc4f141dae560888c70b196e9

SHA512
7cc5161232f77708181880162867fa146ab44519d862e570395d331c34b9a6cf3664d4f77647bc7054874de1c96b683589b4e23e50ee0419671d8afce2627c38

Download Submit
C:\Users\Admin\AppData\Local\Temp\EIMMIwss.bat

Filesize
4B

MD5
94d35cf4efa9234fd963a320d4abbfda

SHA1
f704c15f53aabd4166671e4a4e3d8db629884359

SHA256
6f16fc4772debcc2287cf63496d43a7e45765583ade931d6b2ad031268e7df8e

SHA512
c0d837f7420191f2fb3faea65fef3e917fb42890a4c8f3f0c74f9bbf1606c50123ece28c65db051b2e8e1e4d959d25aa4c0ee6c3799307140724d48a05635689

Download Submit
C:\Users\Admin\AppData\Local\Temp\EIka.exe

Filesize
557KB

MD5
4c9b1bb2c1d4006c626744a984ef9919

SHA1
2e7dc744c9f056ab412d9bfd7d65c5e430365d45

SHA256
9aefc38307266c0418631a9075815f299b098352223e9aaa9b59b3990b520a3b

SHA512
cfd8d145d235a264d6c9a70cc2a39e78f58a73eb8829a37cf2c9fcfc3ba36aa161aaca8a3c0e342f71f43781a575ee0669fb380b66a7e8adad32b5472abb570b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUce.exe

Filesize
456KB

MD5
37ec28c377ac2492ab400f82a298b4ed

SHA1
43779e49d217ca087e85607731c77420d5487456

SHA256
c962d2e877a3f3908e403d4a1b3713859d10953453430f0b6037354b5b47b5fb

SHA512
043424e37fc1bb9373e624cff5936786fd81601786e996312035c30acd8ff8a69182855781bb9b27af5732f0601172c0cc80a866a5c60068e239205af261c488

Download Submit
C:\Users\Admin\AppData\Local\Temp\EcII.exe

Filesize
481KB

MD5
11acb5acabd53acdd61963292c84847e

SHA1
e41a87f4d48a838495460e069771967b76ceb6a9

SHA256
e00cbf7e612c3f484721a2528cd08457e5a4239b09791dcb32799b23ff3b1eb1

SHA512
ceaa6e05a58bff81b8112f137656df2ca99239853d92cbdfbc821cc08e9fd330f41865e00f04363abc736ce092f1f37a815acfbe3e4e0142389cce6d0f53a8e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\EcQC.exe

Filesize
881KB

MD5
8d5ba9743adf7b4ee2673a0ea625e3b9

SHA1
d537bb02dcabe92284aa35b80f4a172dd851dfbf

SHA256
b3812c54aa841a8d326c20bd3d4f823dc43556c17e186b738e2ebc344de7e6b4

SHA512
b8c4deb04839c1d5722f469d2fc3fc8546736da4a0ff1135277457a27743056f3a2d3b3e52a702b56926cd2823ee14abd811e31153cd1ce50a0d3d98a35b8561

Download Submit
C:\Users\Admin\AppData\Local\Temp\EoQQ.exe

Filesize
1.2MB

MD5
6f82b9f2a180442a04c51de31ce8a0a0

SHA1
2f4f77c30f1f46f53961537594234680d697f550

SHA256
a3c8cfb7ee212d396a9c49bd7315790ddc9e03adf9e0127d2d3b3395fcbd2784

SHA512
76e448b5b2ed197d5ed75a885aea3cf828c8c98fb548281f82d95edb4da7abfbdf80b754ff9eabfc6824475cffac80c1ad052df6ae35840f831696afe1ae9d82

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eooo.exe

Filesize
476KB

MD5
255cdd70cf6855848c13791a1dcbd505

SHA1
430fe4ffa2f858d70a007bca1056459c1893c304

SHA256
114cf3be5dc9c61cb657acf8df74cefcffb7a3ae2075b65800d7f1444cbcf37a

SHA512
23f674d979f2a9e13a653d0f1ca7042476101495d802a880326a20b0cf1d95f8223033085a5d37db000c4224c60800e8ab3eb94d77929c0715f248a9e2e3ae73

Download Submit
C:\Users\Admin\AppData\Local\Temp\EyYUYUkk.bat

Filesize
4B

MD5
b76beb717f2b3ba4243d8d6c9909983c

SHA1
3d39751334e2216215195fe0b0cc6408d8c05107

SHA256
9eb42dc60debfaaba790fa4cf46f304bbb38d526ade3bf2ac3546c548fd59b23

SHA512
09a33c02e64da1fd030c19b74df2fb1f4f81b718e59712c4534b7c14e15ea1b8b06dedec1a3a41c8cdec5fe7133b0985d88f63f656151976c400186776a28062

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEoE.exe

Filesize
480KB

MD5
3b6b429686844825449fe362eb5f7023

SHA1
6a8b516ea49676be8bbc1f4d5ee1e18655f9dc1d

SHA256
751b467370dd4a562336b0cb0e70c9f2e25a70b723432a8f17e1ad4ed7d46256

SHA512
70369f80b4da1b202145dd7568030a8c48a03ba17e4851569f27e153bd244112b394319f54cacd09fe907fd6b4e34bedbcfef77b5297f44dd80e1fda31b37ee9

Download Submit
C:\Users\Admin\AppData\Local\Temp\GKwo.ico

Filesize
4KB

MD5
8e03abdaa3016247fdd755b7130384bc

SHA1
08dd2d9541e1961b06957fe9a19ce83aeff51a5d

SHA256
42b58cb0928fd8fa0e0bfb129fae9cfc3b7d3230c2c9c367f0a17c4d0039aef8

SHA512
e282ec1c768aee026682d4c6a8e71d643ac4d7dcfec027536944c658d71b7c484aab2da6990c324d9677d032a86c1015020efcd92c9923dcc21e4e5ce5b0e26f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GMcg.exe

Filesize
1.1MB

MD5
ec66064404032d212849f3edc24a860a

SHA1
41fce41926390429132cda0be4d130a059d1a4cf

SHA256
7060f752ef0af391fa6a8d8ae2176799d9874e939070685c534e8967c2af3a5c

SHA512
72b266bf648511bde246f2846518b32191368f69ec85c1efcfe60538567be94dcb12156cd592f0ebb3e1598181137bf7679a8c376b085c2a1951ab70c4ed1424

Download Submit
C:\Users\Admin\AppData\Local\Temp\GMkK.exe

Filesize
482KB

MD5
5ec3b9eac721902e1116e151c9911e45

SHA1
b29c2f295697970ef08140836b8e545ff7cfaa57

SHA256
fa1e9bc0630776b496bf5744007d50d47eb10addb372db5774411b7582a7e909

SHA512
b33015111b71f94e35d628229cbd49dd16dbf21bdbb8b296907072f97ee009fffa4a1b49a76b21650b80e3f6dfbfd041e1e8595d44849784c151463d29bfba0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\GMoq.exe

Filesize
481KB

MD5
017ba210975416e54afa7f9dbdaf23d9

SHA1
b9291b15d0c01c3d598b87d109ca8726c224cbbb

SHA256
05c51eeb472465c95f7cb4c8ad64d42cf21f31c6b72a72a3a79c1ff6acabff29

SHA512
ad891beab99818958b438c332fa9b11025140a7a04368e084b0c3822e0dc09a99cdbde1f9508260f14fd56c4179b831c05bcacacdf1064ded42cec2f1fecd2d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\GQAW.exe

Filesize
437KB

MD5
2d15c8ceb546f956b38955c31230e9ec

SHA1
90f8dda37321d310e41caf856e84bb4fc5a71528

SHA256
049ea15a9cb8909c81190eb3e6dd4de4a991841bac9bb39617c97494e6584dc0

SHA512
ff88a1dc49668204b2e19186c3f23e076402c2445ba335a4f9e9e919ad2135a63a8d01b6bcee1917fa14176d2c550d25f2755a89f59e27ab3b31bdb0abc1a287

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gcki.exe

Filesize
483KB

MD5
4c9eb81d169c9ade7e4184019246b794

SHA1
8474e98a05b7b44aac7dc766b8f35b1ae117e366

SHA256
5a72d11a4a7c87b16b306425afea9bb81686b78e0c1bd3d63ebc12983caadbf5

SHA512
8094c7e036e61b903692e013e0c312c5793cc78d688da40fd2abf32fe90655337a0322de64a05a791d3b1da668f01e0b6644214a88ea8cfb77baf6ce1d9065d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\GsMg.exe

Filesize
441KB

MD5
e08eeb08ee4e03e10edbd7f5492f0301

SHA1
0368d4da4cec3bec7c74cb39d3554e690399900a

SHA256
f19d68d1832d96c8924035843729da0b9c407c349c249e5c818b4bb7d7c13d92

SHA512
e225dc78cf7d4e8c9e70fa3aee5c4339d6f514e3c1eff1065247db222c140c59d86a619bfcd80643572eb0687b0671de6070a0a2194ca35c601d01e453ec8c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IUUk.exe

Filesize
480KB

MD5
f49a9a4fdc2515eb01b7dc6d77a07504

SHA1
933d03466189c4999c5cae49d913f7dd9231537d

SHA256
273228168d8d368bde5b3eba96acaed23753fc90af2252775b2a76ce76620a9d

SHA512
bedf61d47adcfd7103b2ad9d4e9a626a0198dbfc88efad602e0019741a002653a372231dd88c724b10a8f5a08e69519271701fbd6114943df04be7769851e82f

Download Submit
C:\Users\Admin\AppData\Local\Temp\JmkUskMc.bat

Filesize
4B

MD5
6143865429af80cc43b0ea6a1268adae

SHA1
cd56822ea0e86b51222fe5e830a9921ef88b099f

SHA256
feddca6ad58724b6b257f66b7946f3f3f84f1b8041cca3fc848f64d02368a180

SHA512
df60f0315ef3f5cbddaa6811db8a5d0f0faf7c561e70897083dbf46ecd8a30b855ce740a2b8a561a0ee6149c156e8b6cc8983cdd67e2d17e1dfab317ea78ae19

Download Submit
C:\Users\Admin\AppData\Local\Temp\JqYEkscc.bat

Filesize
4B

MD5
e0c31ceb657eefde71d520030c1f15dc

SHA1
c76c4c9e46c0445abc91961611e8faaebfdc638c

SHA256
35a0efb564e645ad2192c6960c97b0f8eb7dc84f41d8d69869e297f4bcf540ca

SHA512
9293e675764e292e354236cc58b47b64bfa95e50b365e70d1168749f3f08876b7831baead75a9328050a079443b7b6d75b8240e66b240dfad9fe60329c14e880

Download Submit
C:\Users\Admin\AppData\Local\Temp\KSsw.ico

Filesize
4KB

MD5
964614b7c6bd8dec1ecb413acf6395f2

SHA1
0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f

SHA256
af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405

SHA512
b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\KcwA.ico

Filesize
4KB

MD5
47a169535b738bd50344df196735e258

SHA1
23b4c8041b83f0374554191d543fdce6890f4723

SHA256
ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf

SHA512
ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\LIYkIEwM.bat

Filesize
4B

MD5
194278fc638c3324eb802bca1af4da82

SHA1
cb9ab38fb54c4bf5d3f39fb0176d484f6931aa9b

SHA256
d9c35b8474434a8ed65b48a1821014a30ac8672fab3cdca968f3f41769e28be6

SHA512
4f9f25810f9ec104da722d3fca75150072f637d476d0deb46ace62b1e19d8ec547a7643d5ba54d187a3e72eb34ebb2e0ef1e368798688d1df8d548dc3bc3c9af

Download Submit
C:\Users\Admin\AppData\Local\Temp\LWMkkYsw.bat

Filesize
4B

MD5
f19fffd0044bffedb9e6392c1abd4e62

SHA1
26d20988a980b230efb8bf624698eba97d89dd01

SHA256
ab5f75f6a6f2e5233bd9e0b52e024951678add815468f9056c51930ef65806e0

SHA512
2dd6acdd3764feb744967cdb83caeb523b09af65eb13621f39b46cff962fea0ad083269b2e78316344dce24bfe18e100cc39ed9944a0edb90b4da782691b6e18

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAAO.exe

Filesize
479KB

MD5
1e04b995d903042d49c9e40d52bfebae

SHA1
404f27c306f671b981a3058219c2cf8d25d9cbd0

SHA256
022d7da7b382bf08b07110b55ebb06fdbb27b1398576775070ec27ce3e6a2c42

SHA512
efeb446c4e2894e27e4cfb3d59b3ff608275be81f6bc342a3755963f2c4fbc21315221e7d788ec8924a11ab44934d7a6ad6917349ba4544d9666a8426540f169

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEwI.exe

Filesize
479KB

MD5
f23fd2157046dcf6c633db6df89cede2

SHA1
6395a36b76888832a739fe0e307abcd182e466e3

SHA256
778619144ac9b4a5292e949771e96f949bafe5074150bebfe42551858bed3e7a

SHA512
791ef0d42f0fe2b02b715c10878f2ce7cbac5fe00f5f73cc560bd09fdf0493991ddb504de1f6cd0ccfa02cf354a9c0664d87ca6ec50aaa67eec60a2d34710855

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIkMAQQ.bat

Filesize
4B

MD5
a67fc6b7a189fcc6692b4abfdbc5f5aa

SHA1
54488ceac3447175688fc01fa3b6cae2adac074f

SHA256
66cab8a36e5c1e77d3dc67dedf85e48383589f2fe45b9b6b3e2d92052bb5b75e

SHA512
828a6e09e36653efd8f5a02caceeb5a92a53197526127452d8c0b07a16e836e51917079fc255975368874603677f486d5f05f2d0578f348b83f872c06a5d4237

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYgq.exe

Filesize
962KB

MD5
5a207e7e07b4fec4890b3360216d003a

SHA1
e7120a8deaf1937198ab9219ce182bb833028f58

SHA256
6501045bc4e22fc3f157aeafca998671dd6fa567997c2038b3089869371b9a24

SHA512
3d93ba48c1ec3886576c2908c3e64d220f17ba013f1e1e47794ea51321fb4b22287efaad2d46544ac888a3ab5c6b22d8861b45beb6fac940a03dccf8cd90c14f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MokwIcwU.bat

Filesize
4B

MD5
8642a402f5c387b00d8884040064e2a0

SHA1
1d62eeba2fda1891d3c8afa792e6ba5d01821015

SHA256
d992e2247ed237b007a9e8f4d318fce84b5d38efcd1ea487c64ec93ce9698b9b

SHA512
8c2893da3fb9261f7e2f678235a925df1b589f90f2b854fbfb02b83a3c01d13eb467be062b484ad7d45aed806c4ef04383ddf55acbf3d9d466628e0d20a4eb1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mooa.exe

Filesize
1016KB

MD5
7a98a265ee6e670f360f37f3f447b092

SHA1
52d1b5a186a986d1ab889a419f5f8bd1b9dfccb2

SHA256
3d5ba24a480f05d00883b224fcc6266ec39f40f36be514eaf9cad58c87007f80

SHA512
d8e341845672002d51dd452b8c4b5207be5ba03dc860121bbf5739fbaded35e943f33c5ee9e5f1576b0f7cd297ca9e290feb076e21ae7dbe39fcf206773be917

Download Submit
C:\Users\Admin\AppData\Local\Temp\MyIk.ico

Filesize
4KB

MD5
95a3f981c6a54d59d23d6a6c93de8f98

SHA1
a092c67e4c00aadedefee03b5184300cf1ab303e

SHA256
5e15e82b2386bb62937ea83a7a11088ce2d506b7846e6e77093bf5903d97f51b

SHA512
242d0a16e3bb36ab857033ab2d66e55a91a87171508aa3176a62fa9b0a23c35966c26805d664afb7c44a4d8e749818c6499968c7adf577e6afe8b993f3e1f4f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\NAAMIwsE.bat

Filesize
4B

MD5
b32d663890f31153f32696b538da7938

SHA1
73f0e0521e96909f086c886c048d4923f22b4ec0

SHA256
eb32bdf38e42200e6eb8d491e6346a03b2c5371df009f18279011e073bd09199

SHA512
49ae9ef1d08422bdf814bf6ac6254225a92e5baa995bb8d49d03ae71120d5908fa343f9bfaa93e790f82a6fd9dd0881e151e29243c11c9ff4dc75e1a1db71396

Download Submit
C:\Users\Admin\AppData\Local\Temp\NQYEsMUo.bat

Filesize
4B

MD5
7b5af38ebc9383bac494d4b0c0e15f14

SHA1
ce1be830091687e0a9c8e50aaa1c7c89168402c0

SHA256
ef0e1214641502b6234e70d17578a4753cb72236bd9b347d68108686ca89af3f

SHA512
011d8474a39b4cab033e27a9f782665de3d7016b1c4388507a15d0114743e07459cc57e54fdf7b90ac41dd79bda8cd652e60017486bbce14c248d1f654edb2d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\NisAIcAg.bat

Filesize
4B

MD5
14b83a9e82d7d50765a4e28ded5728b9

SHA1
4b7e057fc9a193c5c20f3c53dc7809d5923cac4a

SHA256
c5c31c77653953a775d9c3d4149618215f3770be6bf19f0aceffc87667d21495

SHA512
6f20f76f520ef38d55a14d175a131fefa77c9ec33c51617d196d4a7c036b3df984314064fe41391ff813eb473ec6a8c14a186deab9d37fd0401da3cf961df6cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\OIIk.exe

Filesize
1.0MB

MD5
f1de929621c804446f9de6704f3cb1ec

SHA1
2765eacd2ebdcf82f7facc8647b8b311bcfa0197

SHA256
93f6a875aa4343060e07678b9a21c464dc0faa44e445b3719f46195dce1930a2

SHA512
b058ff22af4213de57eac41f256e3173f19364e5f68ea40efc9cd68dc41047a2dd76aeb0c525690ecf7aeb5bd5daddf524756f431747080c7585ce6d4a5b4c6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQwE.ico

Filesize
4KB

MD5
cb85c324348e99321fa9609bbc366cd4

SHA1
7a1a7d60fc5fe1ab6324e18170f482f04d65fd9d

SHA256
47bfbc630ae0606ed28182a560f86bbf9da0f453a94e82fd314aa7c72aaf677a

SHA512
e51f77b624201985955e6c82a078044a20baaa9f5e02ba1a0d02f00a4c95c6b8c4f615c5eb38b76801bd1838ec91451cf1e1f284dfe60b0cb9e125f728ff6a92

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUsk.exe

Filesize
437KB

MD5
53c2dbba8a99400fd6e6ea70a7d32563

SHA1
6afb4265b1f0fe8e5dd6935b4948ef3892324cab

SHA256
63fc48eb179774d4c1679e5b83d318bcc585726a6385775485ce1ffc5e526997

SHA512
09269b28acd235f696d37e1dd88f7a0dfd550e7895f1c957106a8e04982ab0750cb5c88b73189e374c316c3638af144e32997a29faa28aa0d49d795646b7c28e

Download Submit
C:\Users\Admin\AppData\Local\Temp\OeoA.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ogci.exe

Filesize
478KB

MD5
52c9ed8751f0a5b997da648010ac9803

SHA1
f10c1d32024f1a795d9090fa86bb35c101013051

SHA256
52fe0953771c1013e76ed5fde08f9d840178e7ff7c66e8eb91d61f82b18254f7

SHA512
1514136562ea2f3d7bbc703cd60307cc6855f8c5105fa2d79740ddb3b7ba99066d91d277e6764407c6c74815693a857a8153431e752960d9bc90a128f5e391dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\OgwW.exe

Filesize
479KB

MD5
b9d155fa3a7013fa37193c86bfd16f76

SHA1
9d9109d7e8d56f1161635fb7c3f2da79bd7b5813

SHA256
f0aa5d9eb838444c5b17e05ace8498f7f59e16e526680ecae3f1753738afa976

SHA512
3dee7f319d9bce807a8cb1fd71393f5ab5c0bc9e4677f1d9fef60a9008ba1f68390212e2546d5f6eed0850ce109da435a93321adf898a19fef8dc916f0183011

Download Submit
C:\Users\Admin\AppData\Local\Temp\OsMsMMUk.bat

Filesize
4B

MD5
3f244476b840e5c732355c5df364599b

SHA1
fd09d88103c5919d6d3268b775bc8a1911e35fc0

SHA256
80a79b1973e5024c71def7cc801afe76e569040db4335ae31cebb82f6c31f478

SHA512
716d14279049426dda82d1e3330288638e9c46e8e20c20ab34ec5e30fe584bf77d2c2996d37eafddbf401060eadf08f002ea1d4a7fa3a099bc2e8e0ef48e08af

Download Submit
C:\Users\Admin\AppData\Local\Temp\OwoM.exe

Filesize
1.2MB

MD5
1cd00c5805f7e62be63f7874ad74c2e2

SHA1
284c31bdcb1098b4555c74cf657c70fc54cfafc3

SHA256
622a33870edee433f46fd699ead88a97a18895b2fa446788421adcbf051e9719

SHA512
fcc9d22c1f3cfad07da2da3f2069cce43678ce6a20d844bf776067429d75aff61fba698c9a0f00b1a48f993920a6560adebd5cc5383e02ffd83163242bb4754a

Download Submit
C:\Users\Admin\AppData\Local\Temp\POUYUYoQ.bat

Filesize
4B

MD5
aca9aeef0bed369fa74fed80ccb50534

SHA1
977a981534b42d05047845208e0c6edecd6f6bfd

SHA256
be55cfe24ef20fe911db528b9b49f681f01b73ef3dd2795e52759840139b6b27

SHA512
ac1a34a5109eb094dc05e8a327d640d432f66724a6fb865c636eac0a5b3e4233d3b59484322ed33a1eade44309c823d539c93a511399528f4c7ea4b1fdf9b456

Download Submit
C:\Users\Admin\AppData\Local\Temp\PSUYwQQE.bat

Filesize
4B

MD5
a2a1ac93e2dcb4f8962fa7d6a96eb24c

SHA1
9e3076f8233a3135607988087b0f9dfa4e0bf604

SHA256
3cf1ee7f599614952cf8f7fce2f6b3904e3d7fbef65c5af4a0d58d1ff3eda316

SHA512
bb119e14d3cdae4cbc2545e7ce383460308906e43fc31f6f9a235c2ba986275a2489b71cc85fbb3d791dc585b91108762cb50e3fe529087a2f7032bf6cb41118

Download Submit
C:\Users\Admin\AppData\Local\Temp\PWoUAYUo.bat

Filesize
4B

MD5
de4e7de75a2b6bef1efdec3e54cd4156

SHA1
f7229d6607db3ca4430444a73b78903644b22edd

SHA256
4a90dcb6b7e42bcd13fea094f623185a64889677f142de61d43af12db0e8f142

SHA512
7c86c8fdd99cc82c89f378bc31c94768b700b86613533bb0cf5d630d08884260e5045d15183a0523dfb3511f1203d74799dc32655a9ca11f4ead19417338aac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\PmEQoMkk.bat

Filesize
4B

MD5
8f18902f8867e8ce6833c34dadb117b5

SHA1
03da6bc9da99098ad48b90aa47da54330af66e7d

SHA256
1c8078adb5ea87f03fce25ec8e58158cdc883db33a884fccfdaf37f49c1408bb

SHA512
8be56c3b5a0741d9d323b4cd214d073a4c07faa8a8194c29ba079643099510098e1b8e631f13b8867dcab03bc6fe418f9b6cdf16b605fccb1a7ad707f6015ac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIck.exe

Filesize
889KB

MD5
c9a4d7b117e53cf6fdf786c997371fce

SHA1
991421b311fae0b6fa9d20e446930cf773bd024b

SHA256
de08d2e1522f9ec3c00be0533ab8d48b0f70f669f7338e97213859d5b3e3c7e5

SHA512
03ed39d816d717fa6ccb7b7b6441a8be4e87f7b55af314cf0df56a220883f35d753eacbea9748550508d58a62de0d1e97a54da5cbc1cee6a2ef33047162b2da4

Download Submit
C:\Users\Admin\AppData\Local\Temp\QMwW.exe

Filesize
479KB

MD5
5aaa125636941d4c2f0ec587f2193e25

SHA1
ffe40509306bdcdd66c5dc1f34455d784f865ea9

SHA256
c376ae8a1eb88cc1a4c889a5da9c0e64608c95349ffb0074d988543855936f59

SHA512
9dd509af6502e23366cb6bb8cd07579a06fd1c4667c6853224743e997f339fe0e41372f94215fb894c29e95df7d89a588f87e41b884411491ff2246559e61513

Download Submit
C:\Users\Admin\AppData\Local\Temp\QcYcYsUw.bat

Filesize
4B

MD5
b82cc1be64c58b5f88a7646c478172a1

SHA1
4d1fd8727f3c984faea0c18d0008d14f6ae4a824

SHA256
40d4ffd15327acea87aa3a1aaa75058546042d71404cd42e92f48b4294070232

SHA512
c9ef9c0e1968ece9c37fc89740643d4e751ef08af39508af77645efa77260b7842ded2ba9cc5002e2f0ff3b345cf172fddaec1d63072fcefca3c7bc6f9f881ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\QssG.exe

Filesize
478KB

MD5
bd67cec07a68777962e1eb022ce0e3a3

SHA1
3b08e19849702b0cc1910b048c27b4bc758454dd

SHA256
32024d1e1db313954cdc569e9b6f54491f2583000882e28fb602779387bd5cd8

SHA512
1cd98e612466aee75d853684707f49bb151437fe9c8077fbfd0844f33e6ee18caf4a366fe384b111715f39530d83fb598b8e168440e7d019fd339c09237ea492

Download Submit
C:\Users\Admin\AppData\Local\Temp\QusswEoY.bat

Filesize
4B

MD5
5b682ba898fcccca0523ca756403077f

SHA1
68352e5161655cab5bc5f5251e97ab99d0711759

SHA256
bbadcb8703b2991da95709c58f56c6948c34870ae2d7b7a88b4a94bd0c9bf837

SHA512
0b155d8c5f883698d5f8e9c616c188dbf17ed3817ecbe011021825ae23a8aebf5ecd394d5c51cbe1d62beade8a0e505f31e22b1f1a4732b0025f00fa34113afa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RQYIIogk.bat

Filesize
4B

MD5
2ab5168b7642680247eeea50415ab5d3

SHA1
1bb69218a65df66eb39f68e441b2499c7290cc76

SHA256
171f5f0b746c307413cd1c8f4070d5b5b1f1046323bd4250e79f04c2f1216862

SHA512
b01034a5e92b51be49ca9a3347d4bf2bdfbf923a79e12a399fdf29675e916a5af251b0eb7ee7d83b26b8063161c103bde525b7318d5cff458977bd50d1229826

Download Submit
C:\Users\Admin\AppData\Local\Temp\SaYckcIM.bat

Filesize
4B

MD5
723f7455b6d6d7f0832a5eaa2209441b

SHA1
c6db58d3d6cd14640c68776e418cbcf4089a402f

SHA256
4c83cf94e2ad8dff5478d6f5c9c61c05d170de6d53732befce70a9a3a0525de1

SHA512
96f619f5605a0119ae1c8d688e9be589a28d2244203cec41b5aef4b1a59452bf12713d5c44fb65343aa5b224afd8d0651c524f58dccb680178b4bf1bf7316c31

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoIQ.exe

Filesize
481KB

MD5
bc1b03e8204563a85957c37f88f69e3d

SHA1
cab785c61fe565b6a8246db7805c7d738865131b

SHA256
042b6f437685eabef7c635d78569f58612a18437b489f8b4259ea19a13b08fbf

SHA512
02e77ad1d195931a250ed330de02304e75bbe25efa1c81eec3ac926b574accefed69efbee0db08317e144f4fa8c50c997c88c49e6a0e8c9fdfc2d8189d690970

Download Submit
C:\Users\Admin\AppData\Local\Temp\TQUUsUsc.bat

Filesize
4B

MD5
228ca0d4f81b60637006230ba221ecad

SHA1
7cc4b62c8d07b14c95b5a5896fb2d71ef2a54903

SHA256
3865811ac402123faaecc5507bdc89f7fa8dfef2e95796f4fa6c363f9cdd8cd6

SHA512
be9b4662d859eedee15b68308f55094cf228e6f909567bbd7863958ee8556f70f7066726d32b885f5c887ccbe1f6d5eced1b7d69a1999fef612df4d12150748b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UEMu.exe

Filesize
479KB

MD5
bc0b40122295676fd3575e166b10c99d

SHA1
44d4975e241fac10d07d85e214a01ae81408cf62

SHA256
2ba60c1d8d9e769ed32d1d5ada5d3b44ec84d8ea6aae7244ac4cc6b3ed366cc4

SHA512
e8545f89a48417a18ac086485b6f33fbe89ee78863146c59da135fbaddb475a4511b177e094501ee6ef26e951a5a15de73db33daa0baa6f5ad3198faa9e2eb85

Download Submit
C:\Users\Admin\AppData\Local\Temp\UEQE.exe

Filesize
481KB

MD5
82926a43f4db2010dc3d49b2691cc08d

SHA1
e9c0da2b5b10abe118f16c3d3da3beef801a0832

SHA256
b9f77c0f58559ee5344c21b4ba82814776dbc36571387fcb2730dab4ebfa0731

SHA512
294c23c1540c73e3d1786a6086459d8eec087c93c739228657e06ec6e4ccd4511a7b317c9b2f21fae0cf910705ad77288eaacedd5d4532cfd4fa810ca92f144a

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMMA.exe

Filesize
1.0MB

MD5
f0c3de1cffaa742325a84b5f1819abe6

SHA1
c39faff5cbac1279c29b0f432bf85bace28983f5

SHA256
3f9ab2b31ffe4880e9775313351d3266fb9c8570f6ab713b57b38720c16776a8

SHA512
fd29fc8c6f6419725eb2f8740aa3b265e744f45fb44dd775e113251f8440255a274e148701c095ae4aa7f08bbf9fb2ae0249314bae1ee3edbe56852c52e1c18d

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQgC.exe

Filesize
483KB

MD5
eb98401a9a5cc42dcf09989f6b83e6af

SHA1
acf6ee07b0c425f3c1442083cfe61ef8b598e3d4

SHA256
5216e9d80ddc0bc39e5cdcc82114f112548eefdf638f52cb6c0e59f6a0f5033a

SHA512
8941e7008b93fde48da7a5b57dc4fc4aa850dc0bfe16cf35b0c5431f39b57899264a11bebfd222fece60ee484c1cd6fa3051d7b35aca43e561f92868405c61f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\UUAS.exe

Filesize
482KB

MD5
5252502db91757dacf972f40ce12231e

SHA1
49a9b3f6d9a7e5a3f6ba0b22cacddfb383dd5028

SHA256
6fe26512a050f4992eb2613a70bc4ca7c7cc6f2ece7a76470caf8a40375452f8

SHA512
d69220748afaea0d601d22d43d1906e6e034d3747c82b4518c7efa31d788fdbc61dbfc4f69d7e0a957e8ef70f9506e3b220588b4e55a572cef9df1a3e71bb035

Download Submit
C:\Users\Admin\AppData\Local\Temp\UcYK.exe

Filesize
453KB

MD5
bf92a405ce6c6b30f37b7daf63d69dc2

SHA1
ace7297e5edd77b41b1beb434db09f8fb2872a0d

SHA256
b5c58fe56c0b5cf48fab92cd450d208cad587645ae7a05617d0e15cc9fc8e4a0

SHA512
9f1b7d7fa923c59ab92639e36b063a35dd431c685f7fe6ee2ce6dc4f979b60fa4ae1e6ad91abe411f91210e2460ed9db37ec1ab801d82857a37cb721351cd2e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\UoUUwkUk.bat

Filesize
4B

MD5
ebd11462dfa9f2bc5b22e3083713019c

SHA1
44a12f33fc2457fa377c53425c373d44a042f402

SHA256
7a8fb8b7cc9198ee23786f28dd22a969f0d5af94b350842f83fd9f0300b4f1f8

SHA512
663e4c4281cd84937a740c41ed5c02ef0cc9cf2f0218be9fcc9f1f50f764c1da41619ae97a16bc2381c705194ffa2395a4526f15de635155345b8d95f00bfe6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\UscA.exe

Filesize
1020KB

MD5
e0f7bbf2e3db876c0579e277a5316d85

SHA1
d4b733502f5f248fbe3e9a6262a008258c8af93b

SHA256
95fb8a2867aa2b0ebe2c8856515fad8d6006c74caa659127d863cf66faba7a5d

SHA512
073cae3ddca4a396b752ec1462fb9a17a7c23ee56a40cd30b27b38617028e3309b08f935bb22e80144dd30f8746a7cfe88fb01a088207c9461018aaac827bada

Download Submit
C:\Users\Admin\AppData\Local\Temp\UwAq.exe

Filesize
1.2MB

MD5
837b208e63d5098630b4fc7b63a3bc3b

SHA1
30197e253c55245548ed955bd2f37879e2e1067f

SHA256
c0980a33dc2dae93a7acace334b2a53efdb8843cc49ecdd84417bb9482b38ae6

SHA512
e719ac6fa9f2c645ca9d6a2459420f9452ac5d1b107bfdf1aaf4abcbfc2680f9162106d3680cb3416fb1a58ecce975357f8eb6f554f8af7d24cf45f3b49451d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\UwQS.exe

Filesize
5.0MB

MD5
2fc4d4c331a363e99b0d6cbfe51839bc

SHA1
830dce666cb70dcce607b9bff457e9ad506d8439

SHA256
262d43d34afd3963bf5c9837dd7d1e92f3b23238f0fa7c7813ebedc131d57672

SHA512
96a7ad01a109233448c374950128a60c90f3093eed8013369f993220efc9c2aa05d40490ded61d0a338594e5866b9133278551a94f0ca7e12d830ef338f58837

Download Submit
C:\Users\Admin\AppData\Local\Temp\WIAA.exe

Filesize
477KB

MD5
0c8f3fdc0d2c88af0bfe2dc99b41e50e

SHA1
4abc9440dc798fd65fb1abb38a83356239383bc3

SHA256
c1959c0c1d7713090876f46ad57743e4868656ec697375bb23d0182d4876ca5e

SHA512
a72337b4d14410a0fefa537ff4b05d893f32674fa6f650940bec4289a829d1dc43530b4dcf7344883c59714e66cb21c13c3db881bff1290875edfb1cf165e5b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\WIsU.exe

Filesize
438KB

MD5
26b15cd09ca42b7894403db02f2972b9

SHA1
dde61f9a5da9d78f4af25d6a7d424f8dfd05229f

SHA256
fc62d1ed85ba9e81c834337a633c637ce72bf46312056de17ca5eb484c37a95b

SHA512
bcc10f670f531ce647c69ca68ae507381f42d69e5046026538e4712fa846015179afb2981144ce71235b7c7fa3cd14ec0e6a12c8900c5fffddae275d037ea76a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WwYUwgcU.bat

Filesize
4B

MD5
065e25d961d1380fa7471f9ed21e8ede

SHA1
da470622300f486ec1b6d40aaf10e8b440b962d6

SHA256
402a2d5e2df69994c1f3c6de49902f34976a6984c3d0e98600ecde454050dcb0

SHA512
7f5af1ee594d5b438576f98fc8af511cb4c7db27470753ed69d6bfb71e6851fd79ed51af0703b36f82b6b52dfe3b9cb8cc033c815f33bd036c8253f870d8df60

Download Submit
C:\Users\Admin\AppData\Local\Temp\XEgAEYgg.bat

Filesize
4B

MD5
84aa5095f69dad08c3ef295794eaaf97

SHA1
1d1eb5e67c52e797d62114d32558349f75614f02

SHA256
d2c98fe7fa73e50b038900ad86e711ea8f3378ed46a9612dfb0ad461df706f76

SHA512
5e61e284006cdbf59b4cedc0f90479c041b2ab63172b58c80cbd50d6be66d6cb08c226bec768f9d62226f73079ed7b04b6f7abee968fce889396c8009662700f

Download Submit
C:\Users\Admin\AppData\Local\Temp\YIku.exe

Filesize
481KB

MD5
af0b650994fe5e1e52ab6c6a63538ba7

SHA1
ff5fa7985b6f8eddce882e9d944160750731a80f

SHA256
cae44256ad1ba72ed0f9147511d342a479f9738d7b667fa3669478596b5a45ae

SHA512
313d4e3a434181b33d6f3fb66730af28bf04072b66f55fa28bbbc0c7291d92c3b1c78366ea75b551ae668d3b08ae9a04f382ef34b1ebc9cf5039d09e1ca7b190

Download Submit
C:\Users\Admin\AppData\Local\Temp\YMcC.exe

Filesize
478KB

MD5
e0603ced92a85fbde429411c74123c67

SHA1
6f76462beb089dcb63ec9da785a79126a4e6a03f

SHA256
b84a205b4e5f629116fc0a3b448e1fcc0eb264950a87b1a1053807b9cb0590a5

SHA512
0f8858788c08be0c8280c60a8fb3331101d76171964b1c6b16a189875ab459c5f6cfc3c23abf6921662c4145062a8c3eff3487b15ef50f0d224bf96a3a4ca835

Download Submit
C:\Users\Admin\AppData\Local\Temp\YMgU.exe

Filesize
479KB

MD5
34d8e93080e7c2ab486f0de3b29b7024

SHA1
6c68fdc3c74acd561bca3a26b3425e7646d70018

SHA256
5295dacebcbe21e064f496d9baafaa9a6dbaa742799080a2ebaa14190a45fad2

SHA512
053754aeaf2c55e1b12124f20f2c84b22562543a14e40b459796155b1c7e7871506e2bd99ad12f3dc8a4728026f107f25649687e8d1e6c32ff566a7e956b8ee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\YUEe.exe

Filesize
481KB

MD5
81a63467c49a7073607afbc61376f908

SHA1
a751b5f44324312c56fbd8aeb36a0881ed46c916

SHA256
06b6540b862f222cdbc2a3be38d856a1ab61ccf9e279e040ad3a163ce2fc0857

SHA512
8e8a6800541ccdd2c71418e74986358499fa0e1c227c5d09c12b6a3c7a3865e75f2771f565c376e225e6a730535b39f18d7c0f51d9c2a36f326e2f15fef45fb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ygwi.exe

Filesize
478KB

MD5
6bbe6a629dee39ffa2234e57a10116f7

SHA1
b4e2f699e4613b3ea7c03fbcf013853c3bf627e2

SHA256
b55bc66ee7a7cbf1365dfd98a28f482ac6e15affc0f280d1eecaf9e159271fc6

SHA512
ae82d2d60548d3fbad45f49ee156bc06b86c6219f253c9ad753968ee1c4622810d233d97d60ad4c95a56539fc0477c2e54e62a8aa5c207c1a343bacab14f8e37

Download Submit
C:\Users\Admin\AppData\Local\Temp\YoYe.exe

Filesize
458KB

MD5
afaffd6fe6743f069fc31e7e59fb088b

SHA1
dc20998f45d89266fe279573397333a56ee4a060

SHA256
61be5138006a3c9fa2841955378a96c3af461f1fc90d5b32e48b103ca6f73669

SHA512
2df895acec0af05b4ba91793c48e18b385886cb2d330cc43a458c9d5958c43b6387ddbf9462fff8c07a930e9dfc37ed1342980e3756399dbdd9091ba1a1bdce2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ysos.exe

Filesize
1.3MB

MD5
dc4e79f660a6a489f952a4a248356b4f

SHA1
bb30d3ffbb9d19dc5f72c15ebe0b20cfffcec85d

SHA256
16903de3736b026b6de5c53eae1b796d3c0db54171e91604af224e7c0d92da86

SHA512
6aa024909642ab7e867e2e444ecfe4db15e43e0b2497a14ad5bbc8c2565d57dace020cd084d89fe460fe2734481966304d237d72efa44cdd37949621043702c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\YwYIwAcU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZMsEcwog.bat

Filesize
4B

MD5
181530bdaefdb4da27dc87d90a3d5ad8

SHA1
59a4ee1155fef8dedff94140a9bd89b5461ac477

SHA256
2def107074f1233d2949aa4c36febdce0b1d55a03b4af5e4ae299f45732b2762

SHA512
ed017d5919e2a73b7a8117425656118018f1d537f13133c4825bc400bb94b07d792f8f88711c8e3e4e56ee42fa0e4202680e84be55729835ff51c6f0890248c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\aAsC.exe

Filesize
478KB

MD5
494dabf915a52884828be46dd4bbbf3a

SHA1
ee8c66ac9f2848ffc349a164b9b655539515ea17

SHA256
95b7ef6be733420a476aad43bafd975ab8a8af1b57c75a523d63a9818356fdd2

SHA512
b4ce8e59b2d1650862225375713668fad553c877782366c9b90cfbfae9faa24ed7bfd1f7496f2c752936a820040afef03a0aa1fd82e0b4199e4aeb07a88ff15c

Download Submit
C:\Users\Admin\AppData\Local\Temp\aEgIEIQU.bat

Filesize
4B

MD5
b0fdbe81e1d674173121b61ae6991300

SHA1
ca382d05ebb281e4d500421e6e23c4c2b6a12850

SHA256
c7da163624f81e394b30fa287ca54bddffbeea36247f7cd6d37ed8b45879e8b3

SHA512
ff722b67aa5b4742df6aa895b60ca19bdb70828534e095363a122b9ea67d317501de70155c41632be3fe1408e6e46c1df16f0f2649b0c21e74a70685ec37d500

Download Submit
C:\Users\Admin\AppData\Local\Temp\aEwYkIEQ.bat

Filesize
4B

MD5
006370e3bd6d2b52d569b656f1d12d77

SHA1
0a321de020b0123178e2e0d6484cd5f443b7b580

SHA256
4e0a5f3f67933859056f86b8ca2091dc9a73bbfcbcaeb9e150bc5092e6609e9d

SHA512
83e97b2e1d256124fd6a2ef073f073e9083b1db2026ee784eb9ccbdaddaaec3494f25039f0fe1d62dc5b1100751e373038be7e842517f7eee2c5dff092e864ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\aGockMsw.bat

Filesize
4B

MD5
d0088c6787879e16bf77648d2e37e918

SHA1
265df7d8a7aaf8513d1d6f33b1a217a2d28ebdca

SHA256
d5e1bcaddac057921037feb8c8dc80b4b0fcc109b25433b776059bcbd07f0706

SHA512
b762be0dadff3a01cfbc06c46a0927c43710e9287548fff39be3c793e32a8af01dcc44ac06841129bb1f008ccb0f918f7f3c2fc1d4c1b2ef583aa6a72e415e6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\aoIq.exe

Filesize
483KB

MD5
46da8eafb07f19714bc45abf18bada6d

SHA1
82f6346b001ba33dd74614412b137cd4a494da1c

SHA256
c7c392c0a3a458acebe2fd60420bf0a29eaf3288b9929de93552e74d73852b07

SHA512
f5ab6f7d3d0847723ac1fee534a47d67ed9e352a8bf9ecc747fd40e859b1bd455136682f3a727fbc676bce881db18f6d087348eaebe57401a2c6f7853fff02da

Download Submit
C:\Users\Admin\AppData\Local\Temp\aqkI.ico

Filesize
4KB

MD5
f461866875e8a7fc5c0e5bcdb48c67f6

SHA1
c6831938e249f1edaa968321f00141e6d791ca56

SHA256
0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7

SHA512
d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\asQQMQQo.bat

Filesize
4B

MD5
8add4af784080f6453bc0541e40b491b

SHA1
2dc9b7cfb90bacba96ab5d06c9be641b33a45354

SHA256
6664ac05c4b3a8abfacd113b7b7a0de1c2e2188c733c1e5380f316cfcd943490

SHA512
f8be219b95f6680333d5f13b9deb05d5388b6dcff3e17033eb7300742c0e5944fd49dda2ef7abeb5efa7e50ec2ba5c991745a8bff401c3d9361b678202f1ddb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\asUw.exe

Filesize
439KB

MD5
5927f2a7a1a5fed5b02b95c8d65ec49b

SHA1
1baf16111c0acc2946cd5d09bff583fe1d68ca0c

SHA256
5153dd1faa3932aa4e75332dbf17854699e4696edf14cb48781465184190e2b6

SHA512
8561451e16dbe82034a94ca5b9465624115abbe4674a8b711696d82027191a2f907083bdcff0a841fc7e31bd73ec26d7f42977fcf11d83c2d6505b06e3d803ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\awAe.exe

Filesize
1.0MB

MD5
d18c05f91337e4ddab6544f25449911c

SHA1
35d9ef45b8fbb734d169c9b265ee0509bc605741

SHA256
1dd2cd5c9254f25f000e6aee22762eab570ec77892c80d35459c3ae63ad2c251

SHA512
27b6c379fadf6ad313676047098f43a3cc200ec420bdddd65a3cf919afe3445c316b32dc4ec2eeef86c3d20a84b8e690b8ce4f1da7eda9f471a96cd39503991b

Download Submit
C:\Users\Admin\AppData\Local\Temp\awsMIIEI.bat

Filesize
4B

MD5
3d9cbe8f56a8d16dca3f25dc3d717f11

SHA1
baf907452428fb0ddd218d9dd874a96e607a0f2e

SHA256
2355fd5186fbaece37440fb6c553e9e5323ace9dc7891fac295a04b04c3c1c39

SHA512
389a0ac4e9edba7c07c9da42e407e4ea2a52995914a12ed841c52b7b166cf7dcf7fed398607897fafef576f14d9b8e940ea6bbb58bb6bce0d90aae1857014d30

Download Submit
C:\Users\Admin\AppData\Local\Temp\bMMAYQEo.bat

Filesize
4B

MD5
7f26b7a2bfe98daee87750f23ed0d1d3

SHA1
a107885f6b5cc2d2f9ba95d55e57b1f06ad31166

SHA256
1fceed5b4b900fdb628af759080bea9de4352be4386ba8405c84082334896c06

SHA512
849082f3bd0a2077983b7f0d2c0583041316285ed1fc5aa01efb07a93133d36485edb896df4701f4d76823ad176867d16f33978650c70823c35b20ab60c6c884

Download Submit
C:\Users\Admin\AppData\Local\Temp\bgcQkUQU.bat

Filesize
4B

MD5
c2f33d60babb553f4b316c02e1fefeef

SHA1
b618dedbf35162b98730c32eff9eefb61c43defb

SHA256
db14582e621a8364ecc6ab090d795cb45c6d5b0ebce93e77cf47765f6af1b423

SHA512
ff424bccd26cd735f1e3d26c09ad54bfd09443bb61dd5bd3b235fce9c6c2bdb24df5b7ee693303425aa8059ba2841df7b63cba1894e7cdf4a994ae7621718bb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\bwkIgocE.bat

Filesize
4B

MD5
54729b587ccaa8bcedd8f1d26b50d828

SHA1
5470d2d3e9825b2c7daf93d662c9debec4907f8b

SHA256
0ea23de03f6617a38e87cf84867f452a6fff99d9d5adc89e0d8c1a0e197036d6

SHA512
b4c93e17e49dce6447b1438a1d023b6e1e76f579d931f6c42f9f1f602c6124de3082a3c11107d90939eab54baa6961b4e3121aa4d8cd012d2dc2e7d0be787b80

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIca.exe

Filesize
481KB

MD5
26627f4e8a06573202f452b7b12d0102

SHA1
e196597c82f5044a97b1e337724eb9ae87789de5

SHA256
bba18c1a9a2555be992dbdf601a3fd302e2cc099cec41ff357a0f617f9c0826f

SHA512
00b4da44b6f3e9bc5530bf9b59c9fba268915cea7857b47df07314cf94a8f9b7a94e126cb7595ac87864190cf105818a44997d6a1615403ef8c80198a8bc035a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cMEo.exe

Filesize
482KB

MD5
84478bdad099b2d689ae8035756c45ac

SHA1
503ca283d97d4fc7cfc0a135d84c5a864f7187fb

SHA256
95852c15f8208ac6e5ab60c7e2d55712d6b5cafefa550d1992dfb1bc55e56e4a

SHA512
4d285d18e80eee4f237004a527ced46150ecce20ef943a54d480ec658e382b6a6c4cd5f6d884aa8314188bebb85630a6d094f541f264b99f6e98de21e8f4ee9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgoE.exe

Filesize
480KB

MD5
b59008efb04e17de858e7c4de7a21134

SHA1
e39344a06f3c4098cd1fc98a835d62e9d11f2c4c

SHA256
1a9542b9ab3f1ffe65c9f45e1931dc3c7b93cfe84531de1f9742017e3dedee77

SHA512
d2888dbac98239c4b390f41cf1ca153d9dbcfc24f45e5496bf85279002ffaf082e464d350e3121df215a6487d6427abdd0256e5db915cdd1a7dff7e89b1a70fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\dKoIQYcg.bat

Filesize
4B

MD5
55f343457dd42d067441ed4b99cc01b1

SHA1
ee6423494f52f74d957070d3110597bfc3f5ab3a

SHA256
7868dd7da19134e832c9419feb9315e821e73818a02f298ac21383f083d9cbd6

SHA512
b17426c6928eb24bef9ffe6c5f2c2f94e143c1d219a9a669b0f2b6c870553333e66df7bda5afef3a9491c5479193f8e11703a1ca6aba9176cb99a3cce6f19b49

Download Submit
C:\Users\Admin\AppData\Local\Temp\eAEm.exe

Filesize
462KB

MD5
6083b8aded7cca794ee90385739c7be6

SHA1
cbdbb6f4ea450c93a40aff126d175be72b0320d9

SHA256
5859c465938a2144ed5bc36e71e99ace87125fc7a86eb15a0b06c91f006af946

SHA512
050a625abb5194319b0881327fe228e9a26115cf1dcf7f101b76eaa4138b18c2bccc81d946c195416d4dfbcb58af47669534b1bcd5be93fc2a455fb6c1327e04

Download Submit
C:\Users\Admin\AppData\Local\Temp\eEUC.exe

Filesize
483KB

MD5
5bd80e314676dd39db4b59e7d8476685

SHA1
e7a6e6cc6e387067189dcbcc78befde3776ac588

SHA256
bfb777a74815ebff1161ea282f03594c0c1eb01d968a7ac9f4da2122772f915e

SHA512
de4e0232409b7c0a52e69980bcb098d77bbf851b2bbfe39839d8c4c7e62a0aa178463b728285342db12b80433103e8016a15d664e1270063d193969c32f2863c

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQcE.exe

Filesize
444KB

MD5
37963ceeb48d9845e6ff49e2118dcffd

SHA1
33f3b0c4f60b284b010d231c355a2a6939e1ed4e

SHA256
19a589a8113bae95bf801811e913e71618c5cac18dc86869e408a10a5f4708c7

SHA512
deba758ed0cf739875d6fd90e2113707e48a496788d2681a5a5d61d1565e21ff3954e2ac2d986dc137f18c56efb29c793887582009b3e945985ea0d85ee241ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\eUsgEEQg.bat

Filesize
4B

MD5
befb3f5be20a8e2ccf77da2b872dae03

SHA1
9b1b8aa466d020d7b6dd8318033c0fc66c69bddb

SHA256
ba4d6625d1682f91b859d195d638c7edfc690da83e6b50229a66a5d75af8ed54

SHA512
e73443235ad4c02ff6d31e51b1620a246b2ce398f083746b515ac3e937513d5650bd78a280a3fac2c2ad37ff8ba5d9bb64719e2ca76141ecae94b488325c6028

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecUE.exe

Filesize
482KB

MD5
00dbb76d464567c8e59aaf6a9d2e8ea9

SHA1
57e03dfe09f6c1e97c5a5775315dd81f2e6a8a78

SHA256
7cb0855a0c80ceaaab8ce854c7c06828da9fe73579e5c21eab3399f29a35798d

SHA512
54b4ad0ee830b1e0991ed7d139c3310954fc4230c287af036a5702fac083d00ba1597e5d763f0b2485aff4cfdfd063b9c6225505779362e46e8ab090bf93b541

Download Submit
C:\Users\Admin\AppData\Local\Temp\egMQ.exe

Filesize
8.4MB

MD5
f6a86014f759ffea58a380aff8fab0ce

SHA1
2a192ba515774d5a5f309056c17868947f7f62a5

SHA256
3503bffa7e77cb3ff0d0ca756583504f0a8c215f8c1aada83ef0f9369b962e0d

SHA512
250d8c13f6821c8f9a3de19d25d174532b0165483e4728d6713c617d00ef4e3abcf657b7401bfedaae90d742e857c1c326a3b76f6c1da817cb45aa6852689514

Download Submit
C:\Users\Admin\AppData\Local\Temp\eoYM.exe

Filesize
446KB

MD5
5ced840da519f59ab9439a4dc3d4a3ad

SHA1
dadf9b647ed550ec6fe59398aa48522c2abdcda1

SHA256
d764b822c84456ee13edf9f5d44dcc19a3b378e574b5b028ea01babc1a6db1da

SHA512
df16e1f7c4884a2cbaaa747601ac2321885b38a49abdf659eb14a5ecee40be38e4313cd0185ca8d2815db45ec7e6a11c097d70eb96cbc06e22277fd793c485a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\fOMkMgkc.bat

Filesize
4B

MD5
fbcd4fd08c281415eb87358c4e02d75a

SHA1
38bb8a70678bfaffe4a579d375d2a546e2446c67

SHA256
5f80e815a69616ab09daca4ae2039128bbb22cf4e300ef181b3aacbc96e2c199

SHA512
e12213cce547e73f09b8fc56d320901ad9e4887f585e614e032918f0771eb4e3140e35216c40a3b6cb4a32ad15954285d10733ee3982ac1a5d32f632ec84174a

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gAcwgIQg.bat

Filesize
4B

MD5
fee5c9bbbdc70f533a478b279e484b99

SHA1
9c798df67f4feb0740bbc61000a604b702df0677

SHA256
880c1fb052add8046200a3a53e43c8e9b2a007b6805e7db1982421b98004c646

SHA512
783cdc5a26e7e75a25ebed2470e7b677a8d7c0fb73365226de163b0821c50dab8bde5c62439e87108cf622b73a593987ffd81f94f78fbc2e612508c24f0b359e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gAsm.exe

Filesize
481KB

MD5
f24eb3df8e27a0d5302c5022b091eb7b

SHA1
fb78114f996f077889cebd56f392be672aebc095

SHA256
edadcdd1a6bc7b9b73a1e5460114f11007e3479a2116c363c140052088400f90

SHA512
ba3a0806f3f788c23d62549c36b2740e8e79d60285a4072624ae50819bfcb8f2c51302f9fa17aedabace89dde2d3f7822686989586beb70715f127f4b2cef1df

Download Submit
C:\Users\Admin\AppData\Local\Temp\gKUMAckY.bat

Filesize
4B

MD5
872b834da8cfed1ea678f4450a5952b7

SHA1
13e2f9f071ffab43aef29aae795744c95a829b70

SHA256
37d2f6b5b226136fee7c633f9d90340f977eda051ca86ff5e9aa1a4cf4749ea7

SHA512
a40f061b43a5d9252bf3a829b4d8900d63cb5e4474fc68f7e2dea454af7a82a9bbdbf6d30eb8cf9ab263a3e2de426bbaf3ab88ee5e8e4bae22f6dbc01037dd64

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcQM.exe

Filesize
482KB

MD5
41c35e6f5be714c496bf6913394017de

SHA1
94489b1f276a75e6d22f4c6f89197cd9b95888a8

SHA256
3c36607b8dc6630aafca3a32ca8186c70d7275f38ae9fb156a7407b9af5be4f6

SHA512
ca9d884c7ef8b1bc5f83c03067ae1627cdad4df780d7c4a928679bc3c3cfba47dd2ff704a4d373f83904165255f80827f4f2fb181259a41e47d961072af82776

Download Submit
C:\Users\Admin\AppData\Local\Temp\ggEK.exe

Filesize
1.5MB

MD5
f72211cccadc12f5f91253a4cd7cd763

SHA1
35c2a5952335265008ab0cb1388b79c538826799

SHA256
3f85d4ffa2aeabbcae5452ca1317221ca5e4efaad34c8ee9a4f0bda6193bc48d

SHA512
ce7302a9c18cadb4ff5d80120488d5c088b2715f63e77e211ad2cd6812c17baeb587325bec377a3f017f33005329c231d8a8c6ed844fc789d1df1fff6363c5c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwwIIocs.bat

Filesize
4B

MD5
0fc00170f20c1d0526f00f9e16c39dd3

SHA1
b506c4fea975ad53771069fbda91df8a3947598b

SHA256
2093aa95c59d4fd1f30e7034e91a6ec90873597e590c72ff067e852842488ec7

SHA512
cab65c5975490f59d87e17d8524cbbafbc4d00fcc4ed9ab97a54d9756b52e57fdc4508a461f63a9c1654bb793c515a4330e0d4f72e46a25eba2fafa70255cbd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hWcgUIwU.bat

Filesize
4B

MD5
e956eb3258a2f007da2a105966fa9f15

SHA1
2a345b5e25b821aae2d80376205b2f3101c50351

SHA256
99e9145830e1107fdee1ebb4ab280d16e8fb6f466858e2e38395238eef682a61

SHA512
21dce26a98369401f627d68d083dea2b9ca5c58be2233aca3d4ed5f0a06048c0577da988006d39d0f59a981f19bdbabdaff8a197bb8bcdafcfd84d99e2ebd40c

Download Submit
C:\Users\Admin\AppData\Local\Temp\hYAgowEg.bat

Filesize
4B

MD5
bb620697357e6e76322d54712ca47340

SHA1
0eecf5a96aac98ec5b482a818012645f791e62ae

SHA256
d177f0975b7ffc4cd028980777b68f36db1dfb6c284bd56876bc5bace78eccb2

SHA512
dee32683b64bf21a17c7dc2ca8903b6467e9e1af9bd2ef54988873d85d1257135c5aabe133c8955c3b4bad3ec5c483342e9c986ef258892f86c561dfbf5b22dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\haIokcMQ.bat

Filesize
4B

MD5
6f3e487d7ae0e23b4b560a0e6fc78cab

SHA1
e6758b2209e21a6c748a75100e991e8419a1b2f6

SHA256
0335a3bb858e70e2e176aa0b82da0e54ed123f465876012f1309103d22b0e1b9

SHA512
6ec5c0be529d229358d18eee22495e5229ce6aa6e431068e421c630d24ca402d51dce596cdfa23be6ddd00b2a9e4c2a7dc6abc357c7c7a6eb25fb16bfa2e0493

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAks.exe

Filesize
444KB

MD5
1520d29b5d5de280fcce1d82eb5a2b05

SHA1
b54183d40b2f5af7878b5b0344f47c9f0daab7a8

SHA256
52e1e9e3abfb459088128d4e2680a86723f68df4dd819470158f0e9fde3529a1

SHA512
d9bedf4596c2827f2dcb8b4d3c98ff4be44a6981f3b253f802f92eb30afa7af0c62d9a584f64269e9e7813840374c39b2064db25d873fa25c7897a777d46a37d

Download Submit
C:\Users\Admin\AppData\Local\Temp\iEMy.exe

Filesize
481KB

MD5
ff77d685e5d043b25bb6bcdac0ee5f36

SHA1
a9c1a8516586cf9baaa558eede265e927c8e374a

SHA256
cab1569276ca7b70bac6819aa3a355c02c0b38ab6e01519da42bb671a8ac596d

SHA512
6a1396300a094c47b4efc1a1e5796b4bd227bad882fc0bce1a61db7c5eb3b206c6659e0ee939b588f6edd56a71ff70b630cc464b919b883d5951b8c76c3364c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\iMUw.exe

Filesize
439KB

MD5
8c0b1903ac3fbed66aa9579e3d419443

SHA1
6f1d5485ea6d4f83375dd1e4b5381abf902e3cff

SHA256
9b00bf8c549f1b5f3d138b6f7529ff467a42fb0f4784c036f388a3e707a6f269

SHA512
53df2831dfd5ece4bdbfc1a03c8f8d7e5eb37dc5ce405e7af8e052f76edf1056d238e8c389ab27802130e16ed5d77fa0ef0e574845a16553e4e294dc4cde17f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQQw.exe

Filesize
1.0MB

MD5
af73ceabbf90a1a9bc346571feae9fd2

SHA1
236d80dbb43f0dbf19dda234fb78b5acc37c328c

SHA256
e7a34e49097ab294ee9384ef9f8e349186540c4f43bf92c720fef6a69d431572

SHA512
5294f5b2f555d7b717ddd45c9de1c2328a2a1a910442884b7910542ca7b248d2d9bcfa914e012893cfe11e958faf5c1928bb123c2c7097635ed50aa2fb08ba43

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQsy.exe

Filesize
480KB

MD5
4173bb8f76d37ac48bff228d81a9a448

SHA1
39fbb26227b0fc922070b85f7cb5b331a60707bd

SHA256
06f9ed2b612ccc096c8ff5e5a2618b1cb27741d97c05c11e065bc503e8a94d46

SHA512
27eca2267b04ae009bcafbeeb7c2ad7378518d4472c0bd61f4001db7b2ac924b8eb0307cdcfb166db5be82f0e4b28454d974c0dc49800c1a0af1a1076d9ca976

Download Submit
C:\Users\Admin\AppData\Local\Temp\iUAo.exe

Filesize
482KB

MD5
acff1e45d7509a4ffe59540e36203f5c

SHA1
c2dd10f1ba9db9a03ce6bca89b3dc7a403fb5c89

SHA256
96d719ee5c70b10dc3acf3358e69a9a86afa6058c7552b0386bf9fb9be480360

SHA512
a665083ab528d1188603d752908a761cb72b54487b6ab96cbc380b08fa24caf0a7753bc40df61d58340988a5a7087261aeb7b5cb4ccf9fbf226687a44ee8ac81

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikYw.exe

Filesize
481KB

MD5
299636cc22757fc73857a00819c4156b

SHA1
12175cf5e298b40c50052efa8e0b5b765efa1194

SHA256
823647be3a984d74cfda001abc466aeadf6e42a1d39e363e78405115506c589c

SHA512
7745c10a7106bcd7d375d95141b98be2588be25bafa564e38c44a4ad2a7a2a3acc8bb81d3a301f7bdd7d0638c7e436be4c26951fe4d54fdb73ca12d086d1d7db

Download Submit
C:\Users\Admin\AppData\Local\Temp\ioYq.exe

Filesize
1018KB

MD5
be0556137799df123a511c16017553f6

SHA1
1aeb2d865bda92af8c1a8f05797b21e94f76798a

SHA256
e54dc05442d27fa17f877c5ca790a51bc3cd21be9bf5c3ee2e0538f0ac1f4944

SHA512
532d0fe00202f2732cc013066f094d4224f35c44b73262b7d9dce6b33a8164a40b31fff87babefe59f3afc184a8a38f93ba16ab372c7622969ebbf48b5f09b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\iosu.exe

Filesize
442KB

MD5
71759fe6efcf35bd7b2f400d99f08a91

SHA1
31939d0df3a60ad32ce9c26ae972d562f701754f

SHA256
5a104741b473ebe74bb55dd1bc80f6711aa185ff2cf816ef433b9931933f048d

SHA512
90e6b0f6e1e27c83a0f39fb990c2a01e0824e3a17e75177f8d7de3a0df0ab2602ac9af8acebb25bb2779cc0613b0b700bd6bf37dd601c7648472f62147900176

Download Submit
C:\Users\Admin\AppData\Local\Temp\isoc.exe

Filesize
734KB

MD5
45773dd1442dfa55c08703071d60ccd4

SHA1
b74a84dad961fc951727bddc2ef0e0616c5fd64c

SHA256
8a7d1b4b402addd1a2ef792c4d62a5c44e470490fef8b3bc3836ff3ca807e1e2

SHA512
8d6668c9b2b5d2a8af8288cc7e87acf5fac3d45103eabdda336070bdf916c5333e27f46a9d2da081c2dafb72b8395c828ede9404759403536653f9bb130a04c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\isww.exe

Filesize
479KB

MD5
c39d7974babb2134ecc19430e66b30ec

SHA1
0fa8bab68d61c1e61f32688dd79a27ded8479064

SHA256
6743161fae92eea428128e21ece2269f88db79cb35c8a73d0067f26acb809e37

SHA512
34a0734c6a7d77cab6729d5e5ea6901118bc500a5ee6872dd7bf9bdef32da8d820e562840aa07972e302404d00e37680c5a21c4c94828f1222cfc7af2b25180b

Download Submit
C:\Users\Admin\AppData\Local\Temp\iwwi.exe

Filesize
479KB

MD5
480362dfbcb4bce6d264acfccc59070a

SHA1
70fbb3682d52a34144a3789c74f1b854fa928279

SHA256
76d74f35d601d6c377abd92ae6000b84bf8e7b731763ac851e39569403ddaea2

SHA512
8551e7e1ebf0c86445774361e1b95c220ce00fd8f832547f13123a3c895440e313ffcc89b0182fec7bafa3eb74321051d6841586d1016ecd832b0e5b4d3a331c

Download Submit
C:\Users\Admin\AppData\Local\Temp\joQEIkEY.bat

Filesize
4B

MD5
4e8724b4adee56bdbab99f205275ce2a

SHA1
0138c373dbf3924329a673f63fe6ec9d9e5e203a

SHA256
9fbcb007f996ba6f6aa5b7d6aa81821e43d0179811830bcce9482b8ef925367c

SHA512
90631a290f80123e69a641f7ea68b8ff3579cddb7bbd6a5c263be581e72effea7d48362146427ef81cb7abec1bdd37db35779463e0fafcb5e95afdcbbe6f58e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\jwQAgAgs.bat

Filesize
4B

MD5
7c8ca233b3ee9d46e4f6ce434e576368

SHA1
f72823dd55921f62e57fc3a0f96aa1137d171360

SHA256
0a4c8b9d8b531e59d68b76d8f3e3ea2facb60d5f06b7ce0237f848b7d229637f

SHA512
ee9513e63207a3c8296af39f6d62e8176d0392ad395bb3e35a26a9bbb525bd06cb18858c74fea7f90271e8c78e12d1d27c00264be7156983f017b46748f88f96

Download Submit
C:\Users\Admin\AppData\Local\Temp\kIgY.ico

Filesize
4KB

MD5
31b08fa4eec93140c129459a1f6fee05

SHA1
2398072762bb4d85c43b0753eebf4c4db093614f

SHA256
bb4db0f860a9999628e7d43a3cfc5cd51774553937702b4e84fb24f224bc92e6

SHA512
818a0e07a99a12be2114873298363894b3567d71e6aa9ce8b4a24c3b1bb92247450148f9b73386a8144635080be9bb99a713f7ba99cb74f8e82d01234000074d

Download Submit
C:\Users\Admin\AppData\Local\Temp\kMUy.exe

Filesize
763KB

MD5
8f768cd9928346de75f961a2d92087d9

SHA1
557775edfa8cd7d1bd901ac0566cc8f0f9ce9fe9

SHA256
047a5ad07e1f5978bea7ae51988605fbe8c7e4e97d029fefcc0f3ad1a10a59fd

SHA512
8c30caed149fbbfca2c251251de3cfea14a5f3922e9235070dafd08f886990c3bac39e9da7659c6728cddd3dcb2bfbeb948841699fa50fe832efd94c11b93516

Download Submit
C:\Users\Admin\AppData\Local\Temp\keswkYcc.bat

Filesize
4B

MD5
e2365a7388b5f94da7ffdd70cdb3f01a

SHA1
7eec385d12052a205bb5964d9798b5a72173153b

SHA256
68b17079600fc9de48150634b876d20bd5940fd50fedee6046bf764c46031b64

SHA512
0123b7c32d9a749cead880b8a8508cbda692442124547181a2b57cc37fee72d563acc0874c0ee2c4ca8189e83bd7d74166e37fc77497e3cac9f083da514cc94f

Download Submit
C:\Users\Admin\AppData\Local\Temp\kggM.exe

Filesize
1.2MB

MD5
32440d6899eebbc2155959ca6f94f6c9

SHA1
9b43a9a1fc7fbabd2788ed6da482c63f69dceac3

SHA256
dfe14d2f164d7f42071abb9fb52d3e86e24f285f99578eea652c7fbc4a4824be

SHA512
82f9dd97625eb8552a1bce3985423ebb3ca833483ba0fedc296cbe5c8c48bb6b4a750f1997768c6f69c8047839cdf0ae5343cb25687be3eec922a9fc7c5cbb9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\koou.exe

Filesize
479KB

MD5
77fd4bd2035edf495b99d0e494186684

SHA1
5eb084bed1562e027f1b37aec3ee8175c46f89e8

SHA256
a5838dc41f4bf737b44192daacd1f373362f2cee23fa536acd56ae71585e1f1f

SHA512
7b0c60cb9f18838f9f0652851cd6807d957f7908bbff9c5cb6aa9532a2e9c3298e7f5ec5a473668d43701df258fb40d7e72d2cf7f82fee7ddbf61848a16d097a

Download Submit
C:\Users\Admin\AppData\Local\Temp\lYQkQEwI.bat

Filesize
4B

MD5
5e63f6e49641e1bdb7b2379a0ab73c46

SHA1
b5135ef70f1deaf23444550f058a1bc88379d7d0

SHA256
3112d26d5b566940991fab74bc399070e338165afeca81d89341601b4c055ee9

SHA512
3d124391b5162f8393978fa5871698c1318ad6e1ee7cbad48779ee4e2ea22e01629a3ba8a31c890a28ecfca3cfaa000937acd210581c4ce6bfffe3a2e0cdfa48

Download Submit
C:\Users\Admin\AppData\Local\Temp\lwUgYMMY.bat

Filesize
4B

MD5
3e23c0d3f99ff4e4a701289471ffb2a6

SHA1
5a4507f12439350904ec636402d8b5ea81da7b25

SHA256
2c3d20cbcae111cbc3e6f475b6f1d92e780ad0de860f11c023ef05ac11b5aa7c

SHA512
3340953537beb77b12c04edbea2f301520f0b0d8d368f7fc3c63f37fee4d5831990ad1eee2656c7e462ff2e2dd9b344bc9bf6e2a100f61dc3a570fd35ba5ca91

Download Submit
C:\Users\Admin\AppData\Local\Temp\mEEA.exe

Filesize
478KB

MD5
47a8088cfef23f217a4c7ae30600f5e8

SHA1
375513b54d0578af2ff4e57daef368df33bc6538

SHA256
539a2905f507a383d7c930625d58ee7c74928e065b642c0d7d166d4efcca9750

SHA512
5add939e1de55f6a76c9fe47dae533c10fae8191d828094a0b4a9359622965e5c98d0e17d76994d483a7d173b90bace0655c10b7ccd12ac0584bb08e8073289c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mEMa.exe

Filesize
474KB

MD5
0d6de3c97110d80e5fffa6c9e36f9f28

SHA1
85e0f17648e90585a735ff571d68cdca9d41455f

SHA256
4d16adbc4a412e671bedece52fbbef8ec4bfcb923c52c80ef783fb0f20dc8366

SHA512
1443c1754a02b2773836374a0669b82a8497a434362f4a758186d84d1fc649ff1e384356ca6b34024e84f17def3d703cd1375fb90af9742efc0973991b8abca0

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQAYoIsQ.bat

Filesize
4B

MD5
bdd1912209873a8550919941a5267e4e

SHA1
acc6e63502cfc73957d4682ff7cc62ab19627667

SHA256
523772effa2d72995e516fd8272506329d071027ed7d11ef0b97102319bf011b

SHA512
7b1be0c3adc0b4606dfd19fde71a32313b3d5b1d7023c076e099a461442bd299c97f6840251b6d87e7ab390488e0673853afaac2bb4387497c6799ad88eef453

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQMc.exe

Filesize
461KB

MD5
ea08f4b03573ebbea7969ca06f4996b5

SHA1
bb0fa5c141d3882158702530d420fdb3e75ef4b4

SHA256
14d86f2300b72f968580b3e3b7103da3ada9c4bffc05588f59911ec776e9cb92

SHA512
6ca72462dc35d20d041a1378b535858c69883d41d65f4aa551c17a1713bd0a7fc8ba84ed0424da0e371773f0c2fe3fb0bc5afa0daffccc99061c98739a30f9ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\mSQYEIgI.bat

Filesize
4B

MD5
20b66412380f98f5f31dbcb940ed06d6

SHA1
a825cf0a8f664d221babcf2e3134dd52c82b305f

SHA256
50bf2120f9fe07c713b5aaff86986717e51d8e0d0f014130c39d5fd0b001e705

SHA512
7d3e50702733ba3d5e5ef71d41f4c81367d53ce66bc8f6845cba65a0b0371f0d638fbecdffd4289a89f64130655b22add6685d02aa8d55db18f7898bee839433

Download Submit
C:\Users\Admin\AppData\Local\Temp\mUoi.exe

Filesize
461KB

MD5
de5c6ee2af80ab53eb296fce1e949503

SHA1
6e6ff8ceda4e90dcafe54cf0de7ce56d03d8d95e

SHA256
e66632aadc6cadaa04ff2fc980e2cffaad9384fb3adbfdfd61d283ccd17283a5

SHA512
3037e3c96aaf1a3e14684cc9ddcf93af3fe4953b147ec2e0d064a4a27050e38ce2c413531a26a25ee8183ccb08e9a9d79038a554b4bccabea63891d81029da23

Download Submit
C:\Users\Admin\AppData\Local\Temp\mUsO.exe

Filesize
442KB

MD5
c2e1a13f7edfd52413520f758c589bdd

SHA1
244ec66e33d89738af51848ac1021c4df4928c70

SHA256
25af16bb6a5a4b2107cfd6b35312d2b7c856f563c4439636258e1938dacb2830

SHA512
3d9b6a84bd93d3ad0ec71a84112e76d63862bca07120ec9c72fd45fb8ebe9a9f53e4171f31e9cc4a98e1de2db3eb8f3aa61e4ffca40f99d6a47d262a0c1079e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mWQMUoEU.bat

Filesize
4B

MD5
eeaa21ae66e501ceb42adadf566170cb

SHA1
f2944a8870ab1e98bb52e2fd34a53cc06495d1ee

SHA256
8fdb97f0e31ceb981d69fd49f08d6b704f71484b69278c68c62496e304cc5c3c

SHA512
39291db955c9900d0f93d33cbe0b2303afd2c1261d820939f99bb3c9aa3bdaf1fcd241764311b477a1d995334aac6c2bf5f021e0ef63266fb4c6dbdcc2ddd5cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYYW.exe

Filesize
482KB

MD5
f6906568ac968ebbb216c864ea1062cd

SHA1
c119de7fbf14e97b1dcf1edace13b9833c816f3a

SHA256
e7f78c8aa1be424ba4a5ab4db4a1e1284d3b66d4202e898eb426fd2ee8059fa9

SHA512
95cc4cd8610c2c54ec60d51dfcb521693891ef1bcef2962cd9f0abc21f06c86088992b2921f3fff568654b51ceb72aea73995fbbc8da8f0124f5f5541819b507

Download Submit
C:\Users\Admin\AppData\Local\Temp\mokS.exe

Filesize
435KB

MD5
87be601e0a16dcdac998dd339b075d60

SHA1
508719df53755026a095952078b29b5cdc117f3a

SHA256
5d18879017072430dfa784da329c1ab5df4878e85b1d9deb085594c8c5597a6b

SHA512
394fe15fced0275034cb607b258be844fb1860036a5a4c7a0dcd1103673b0ed750b84e04f0a5e9b9078a327321ecd9f497a5e8288d5f1cbd124a95721de31a8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nAYgQskE.bat

Filesize
4B

MD5
cc2c077fba7a6c44d4d101a6d681b27d

SHA1
c1ffa35605174efc87686c582701a4600ea06440

SHA256
3b97f97c76f80d0d0f510710b3d7ea9d7f36203e2decf214c91e32a423b9238b

SHA512
2c705ca3730b16f0174ddc4861cba0cdaf08b6f7b6a6775e272e26dfdfe7c7d1c7d05eaf19247b5009ba03e2ec198357c1fe05d5811153e13c8ec854d6e7e91a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nEUwUIAg.bat

Filesize
4B

MD5
f706cfafd8d15e3799a43da56fcbc685

SHA1
40db2cd813e1b80107d93e84444e1acc15aadd1a

SHA256
6c0f1568c8640cf0a8194147653b82067589f77f097d43a6ce052c3608effaad

SHA512
27d834ce71171db4b4e1f1c07363d9f2e9cbbeacbf8e4c1e21879f7e15d3ea1931b5f609f7ac4a761a98dc90d780b615dd12cb3fd34cb947f2d0ec652428a89c

Download Submit
C:\Users\Admin\AppData\Local\Temp\oIEq.exe

Filesize
443KB

MD5
e3f64a10042fb7b6ea902d9bff95b9d8

SHA1
6ac3ae77c95e3ca0db04276143c395a52f8b402a

SHA256
ee3a0b2c67188b3e64137f16921126819502fe8fe5108032a2a9ac2269744806

SHA512
5a14f2aa69e5e7aad87edeb845ed183f857421560dd008a794171f19ef389bf858dcdf79031dfe295d78e55d1203afbb78056a02c8ae655087d2845e2730e415

Download Submit
C:\Users\Admin\AppData\Local\Temp\oQkq.exe

Filesize
445KB

MD5
9103659cac4ae23e9a25bfe53c13fd8f

SHA1
db3807127a86c78255a363ca240fea7873eb8bbf

SHA256
fcdcd1693f42e26c36fbababa22bd06338d378a169bd3d7ea8aaa9dabfe25a63

SHA512
b35ac2f543ff606c461252097daaf2982809dade973dfbaa42ce3920c8d9c25e6b3814ed97fbfac8483521553a30f4c8330436f3e4542d177a96eada0194f67e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ocgS.exe

Filesize
448KB

MD5
5d69d1ec13b8c97498a0e18a7424af48

SHA1
2f5794e368e0e9832c99c106e92af49eab42f422

SHA256
86024c9daebfa67d581d591cc2c3b62d6e158de32a12d02a2ea4d41f17d9a880

SHA512
1a372aecfb49a433c49cae45c5c9e00ec8d7c27f4c9ed9ca07e101adc9e84448ccc0afa719e54f0e4c891fb9b96ecf359d9d59bc33c2fd727b7d61368e56813f

Download Submit
C:\Users\Admin\AppData\Local\Temp\qAEe.exe

Filesize
477KB

MD5
b1ae428ae02a0346a463ce98769a8c2a

SHA1
8d30b3a19d3571909a7b81151834f9ba23f5234d

SHA256
f7e6e561d51e0e938596776386b37de183a6c651ed3ca5e843ada7492a465928

SHA512
ea9f231da50b5ea204a3b8c5e9486aad30b67fdcf2b13532e0d59f4f1fa21672ceef232c4620d142f4e077f9d90f1d9e8ded1dfa1484ea0d6cd2b8c9b2e5b9fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUga.exe

Filesize
484KB

MD5
c25d7c965719a75a590b94343991e64f

SHA1
45475244b3a3bb3de82d06df595afe6d61398a35

SHA256
06fa6506f21460de9b79041f44c1252864333d15846fde706bcdf8494de997a8

SHA512
299766773d23e3e92263b2a887a53d93ea2a17e1878b62ae3d49a36b351bc0937ad8024b79f15a5d4fe94cc59e216b8e3db291c0216fe2ae493a480dcb018035

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUsm.exe

Filesize
479KB

MD5
d7f9d8efa64542f0c570dcabfb589034

SHA1
e1cb6dae90aff5910a726d90c6104e42886726a1

SHA256
7b97fe86de508c85bd51cec7cbd83be8556835b31638e0ef5d16c76d2a4ddee2

SHA512
9cec7a8623dca0f8ee0c82793e90fcd610287d8378906b66615780139651373018a124d699a640b8eb868afd8c485df05f3934e076cc9f202ac09e796cb3c1d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\qYEu.exe

Filesize
482KB

MD5
86e3a99f40cd7efcfd4ed70a8468493c

SHA1
dd65916dd9dc23ec150887cad58e5bfdbc44a460

SHA256
5bd8969b6bff06a27c23ac31f2a2c3026b1530c7e33b601076875feada410c1c

SHA512
bd343359b3c2f86c016a4cf6a57fb8117fdb1bba5c9357c2daa876e9176f111712b108ba4320abac3dd3a0fa926aec5a574d292c73fcec288b9feb27490b6a94

Download Submit
C:\Users\Admin\AppData\Local\Temp\qiYgwUIc.bat

Filesize
4B

MD5
ddbdb2e19abb6f6b8cfa8b9d8d3ed3fe

SHA1
2140deb31bc46b8814c59566049dcaaed1354e87

SHA256
c72d4bc44f61bf29d00aac0b52d8542da7ea9cbb393e99f8af3561282b33edac

SHA512
8b98eaf1332891550b496cbcbf81be296bbd12ec33653eabcfb77d7b0d99a6728f8dcc8b54a6db4a49b194de6a613cad2b39c66cb3d020cd337b4848ef6de390

Download Submit
C:\Users\Admin\AppData\Local\Temp\rAAMAEgg.bat

Filesize
4B

MD5
a0f39d3121ca33a2a2dd9959404690fa

SHA1
00d3f194d8a225b7427a96f4c9b84ca625e755e0

SHA256
f1be9b9204bbb8f12e0f9ccc8fd676c9231c38ad1c081bde054b413217244acc

SHA512
976fec339ff9d0f429f6f301f74b4239abc44a46945346a395599b05f3ff2132e4f174443934196462c3a4834c81f8ced1bab1712e146b6708d2ef13ec77dd52

Download Submit
C:\Users\Admin\AppData\Local\Temp\roEQQIoc.bat

Filesize
4B

MD5
66cd2a879645a963e1d597f468d8ffd1

SHA1
28c2e85c92b51b5bb6b76896e86fbccec94a6222

SHA256
0265c2f6419baba96b27abd9c6c28441e9189e9fe6d52d20a84d071ba7c0402d

SHA512
20da3904aead7355b9204ff7a3f9fe3af2ca37840049c272e37f2b890df90ff33dc17f4143a9939f9b7fb216e2cbeb5913f17f9ba174de5748a9e9832e2cded6

Download Submit
C:\Users\Admin\AppData\Local\Temp\sAIO.exe

Filesize
485KB

MD5
9f3f9fc3464ed8ec995589419f1cf57f

SHA1
4c168f61d5095619c806cde0adc2cfe74412b193

SHA256
8aa6643b352cb72c5881912c6eab201814f7c74b3d5783b84ec37525ece5d78e

SHA512
12bd55cde70cbd3d4e9f0567848086f8f3fad07a0f0b3c60f562faec056806c1eedfc2a58608375958f8c8f9d7254b0bb8e09fd18b436c206a3814880d11b6c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\sCgQccog.bat

Filesize
4B

MD5
6ff64892eefbcf0c2f3c44ec2e0437b5

SHA1
a1d3cfeb7e6d2cbc8024dabad757ff94680178d1

SHA256
6bb2585453a5558b9a20db071f006dd531eeb158c32eef29bfb702efe0a50308

SHA512
578a9793653a7180920e762839f3036b5085277929c6e5a67a98c88bbfb25f51722fd114897ff7f56fd9467311a4cbc260d1ccd1d7e42133a8e0981eaf43c733

Download Submit
C:\Users\Admin\AppData\Local\Temp\sIEe.exe

Filesize
480KB

MD5
c30f2405686c0dc0876a79447bd6aa89

SHA1
c8a2727f56fc5c935c146cd252472f0f62c8d7d3

SHA256
981336aa1f089fedbff7a62f9ed66d7a4639a418e33817e2891a68e88074437a

SHA512
7a871167748b90c9bdcdeabb93449c700133bba46a41fc6c835f32a67f9d444fce1f159da8e06c36108dd9a103dbea2dcfbc35f8e511a80f6ae315d94f695ba0

Download Submit
C:\Users\Admin\AppData\Local\Temp\sSMsQUMc.bat

Filesize
4B

MD5
6781c7f42e3286906f09730a09ec2321

SHA1
c3e4f2c851f5dd24e960a9767a4b53a9ac0dd433

SHA256
ce44b4dd6c97a600e50a399b8ed236e12d1faac5cd73a37f0a0789bacca2dbdf

SHA512
d491077d1e7941407faccf0823112e24c995ec9ec68ff4dcf09cbcc39f901f24f6ad6561161590073491014c0590ae66433aa398791aa2ed7a46c0a49dcb1d02

Download Submit
C:\Users\Admin\AppData\Local\Temp\sUEW.exe

Filesize
438KB

MD5
65ca2ff43a8d5c59c6178ac563bf8293

SHA1
4a6a219726d3414425efad261e34ddd9052c64ae

SHA256
7cc61f121bcafd7a074f7f6313824abd8d2f6d0c9b532bd92f2e2d985ea1f54e

SHA512
0f0ddcb2733d40a32bfeafd2d0e3dbdfcddc722e74511f62212be6910ccc543e97cd4199ef5f55c11b96f1ae421af0e7f2a1f1d1be4f63b3f88d5f9514e62528

Download Submit
C:\Users\Admin\AppData\Local\Temp\sccA.exe

Filesize
1004KB

MD5
f98234d7427f7dfebb59a726f5d39a7d

SHA1
42cadfae741fe0e545cccc6a5c27b568eece5816

SHA256
2e32babdd2f772ada3c61f0de983e0c80815045030ac2b57e96a4928826c766b

SHA512
ef0af0604335fe468f475b67914ad1c06b8c1d714a7a0ddab74550900f34f6f60554d1b0ca17f5333b1977c0e82fa8621fde58a51de441eea8ea8658e93d9461

Download Submit
C:\Users\Admin\AppData\Local\Temp\scwk.ico

Filesize
4KB

MD5
97ff638c39767356fc81ae9ba75057e8

SHA1
92e201c9a4dc807643402f646cbb7e4433b7d713

SHA256
9367b951a0360e200345d9aa5e6895e090fc3b57ae0299c468a5b43c0c63a093

SHA512
167328960c8448b4df44606d378f050ca6c24969fbd7cc8dcfe9ddeb96ac7ccd89e507a215b4c1debff0d20a0a239d547f1e496635fa2f06afad067c30597c46

Download Submit
C:\Users\Admin\AppData\Local\Temp\tQQAoswg.bat

Filesize
4B

MD5
265475e7b4ff8e734d2d0559c9e93c2a

SHA1
35e69959dfd589b3592b46e1a8b0ea69190511c9

SHA256
4c2bb7f8cecd351008b2632f427c2045f0fe4803da61e05e645c899b9397d5b3

SHA512
b498d950072e278d524d9614ee55ed72b59d8d75ebb32046631decfd595d041b5c9688cd39d9e3dd6ffd9d28e4b245ed6e69ef1bc56050c0f503852e8c599d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\uAky.exe

Filesize
479KB

MD5
543c25c25ddea5c18503d6a537c42a60

SHA1
e0b5a654376c9540566fc960eae4214f75df200d

SHA256
5a61913839262897f36e7f5ff98470c36e25440080764f21e9ae193fa3c3eee6

SHA512
e24714c1c779618161d6b5d8cf8bf4bebb19a3774c4d330da26ca098809e94620e25dbd08fdefca9fff72c3f6d11621f38b7299a270adcdd9485355390c0c2dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQkkYgkY.bat

Filesize
4B

MD5
c3e1724f10dadc9cd443c40d0b8e6e9e

SHA1
b8e8eee7efa70162f3637316871237f228ecc115

SHA256
c25db14366af06032f6f371c8da23b6e2899f84034ef74b0f164d81ad9078459

SHA512
8282914dd2e105e5daa4c59f433d05bde3d1ee44d3d7c91abed2e886c7a1b9d0b526f11c6c48dcdd624c0503de0e91b0a364869e3c75c961e830dfc7646467c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukMUAEAA.bat

Filesize
4B

MD5
652de12271b884387bd92f370337a30e

SHA1
5c14f999e601e37e2044d65cbd0e0a2a020f4609

SHA256
6eb3b70d08ab0d74badea5e10b1fb2746fa6e6f93c8aee3b6ddcfb86cf0560f7

SHA512
e90df67707e9c2f47d29e12a1cbd1ec783637d2514cb1c594ffe3910c5fd18b5402bbb35f78e83c496c36e315db0338edb2cf9a4af6d828a517e5c35fdf7eb0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUQU.exe

Filesize
442KB

MD5
2e461bbc1aafb1c7e8dc1cf596b1d3ea

SHA1
07f950ac7d543d2e45e76a5d96f23cf76c48f22c

SHA256
edeef34433ecc341a44dc23dc6e3cab23c5076b4ff84d52c180d58cd59ff314a

SHA512
b1281d45b683c772d95918c457b88ba29cd17da3109926af2074951afa72991ef690ec740c2d19f4c9258c56d10ae3615f23c79a5de73f6a9bf93eb4de257ec5

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYkS.exe

Filesize
479KB

MD5
803899fefa9653b25fe37482c084ff2b

SHA1
98f93721aa65d90b2a0f16fc16bb913a58304fbb

SHA256
d82437f47220d35d554c660bd5d6d036904af690c3f4afe48f4f5764958edb3d

SHA512
e3f50e31299d1fac036d6130e77296bbdd862b9fcf36b3f1fce7eeed0f0ff055af0f435d4001ba84f8e29034967c3f9a59eaf756101ec03acdfe215030ba0d51

Download Submit
C:\Users\Admin\AppData\Local\Temp\wkcW.exe

Filesize
715KB

MD5
b1db6e444deb860eee3f612514e79616

SHA1
f5ea5c81b7807aca79d9467d6d3926117cabde7e

SHA256
e6ab2fa849883546ebae80a8e495987b84fc8d4f79de64c73f9a266767bf54c0

SHA512
49b2c82426284b0fd88517f59b18be0f1a695e1732c59813f9c7ab231e28fbb2b7bb1518cb5332b83991c1b468b78eb4b2dbf5c220128a840dcba8d5cac9d6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\xCcAoQQg.bat

Filesize
4B

MD5
d9b262d7b73675a7b922f464a95ec761

SHA1
8bafab2cbce105e2085679430f7cc4fbffc3402f

SHA256
4d4fb6242d399d35b7f5933bc6b6491c5d89427b381539e63810e8534576767a

SHA512
7979cfc0d89e4e978c1a6b99611681dc2e1fd170e158c09106a4849d4d4d800b636a8cf60e856f4000dca31ef1783bb4603123827c1713f6dff3ed710736e6de

Download Submit
C:\Users\Admin\AppData\Local\Temp\xOsYwoMU.bat

Filesize
4B

MD5
6d1036e5630a8455b135ee5ca1dc2e9b

SHA1
e136c18d0a8ddbf7e2598d98c928a69fcb411daf

SHA256
ecf946bbc79d76257dea380a4a2530fc6be6a0c9343da4419245dda4abe90fc2

SHA512
6bb5844a080c8ec8e9e4d6335399989766eece46b19196eacae8feb39d0bcd5f9a8aa4c9b14e0406df624699095aa72f2f43065d6c459cf128e79ab863a4a959

Download Submit
C:\Users\Admin\AppData\Local\Temp\xQEEMwQY.bat

Filesize
4B

MD5
81c0b3e7963527ea516cfaa2689e1f63

SHA1
568328e42deace86c82154b70b3452f85a064b8d

SHA256
4e78c9d0a152b952622dae1804ea02378da0c0a9a15d9cd45db60f5ad405f573

SHA512
a9e2604149c27aa0cd80413f303bd3bedf7318cd9e8568d9980e58afbca0ef3f4a0eeb8dc11e97cd7c7e71f8bc8d52b461442398d52051f2a415c77b41931a4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUcK.exe

Filesize
480KB

MD5
9f70ae8860149b99c62c7cb0175358f8

SHA1
c65544b14685e4e195914751a80292b3eed0d237

SHA256
a47b6d2b12fdfcc250f22a88e3a407889c6dbfece3486914f455ca90c57b108b

SHA512
ee4ea68006ffd943a34f5f7a4c555da3fe625531886fb7274dab8ea11a02f67d572ff6a7092bcce6c419648f7df1fe453e8db078e85fa7ac4e946a25438d5c2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\yYkY.exe

Filesize
480KB

MD5
979d4225a9a696542c28725c945c3c5c

SHA1
9d215ab64a92b4de23b1855a616ae3362e077f25

SHA256
f0d82d3e56ad7d1878aba3b1c12145cfb0321734e04af139d812488294168f81

SHA512
94b97fe64255dc6afc139384996bd9e806707524177239c62dcae01038831c92e24af8b0795262fe66a44d29981b67b3f9ffafe4562f889318db456de497fac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ygEQ.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ymMgcAws.bat

Filesize
4B

MD5
c9389ec887c7e0eda6a77234f9173524

SHA1
8864a90d4966d4e6bdfe61df7ae68329717d97d7

SHA256
671d36ab621ef0aaa4cec8c3ad85d6f09a4d06b3804c6cdaba6b77dc59095968

SHA512
d35bb44a69cc2c671c521ed8f63a3e00beb746e916d36bfaf67aafcf60bce86f6c67934c62170bc1440207a850c90f954bd16873cc835f9f76a5dfab4dff7856

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywUC.exe

Filesize
479KB

MD5
7b58f4e71051c9aa1c1de4ca4be7f212

SHA1
ce79c27624427739012a020fcd37f6ab3f5d676b

SHA256
3d24e77cbde502311602b5ed1acdfca8eb7eacc81e8f04503b2b6f7c21878184

SHA512
2f986b5daf9b3d557e66650ae365e8963f8d7dd9d4e28f768d9a9cf6d5350044776e76f6fc03a2685532c2caf88917eb6819e9f92354d3d938945f31e6a36114

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywUcEwcI.bat

Filesize
4B

MD5
f4770155975883e5f948a470537a9115

SHA1
5be8bb01a75d379524c1dd75c51a589513e05022

SHA256
dd0d13409eae2000b85fedf8de59f3cb37fce1db67e5387109ef49b72525dda3

SHA512
c82f78dcd9740fe685a3552b7bfe0a176c25bcbbaa12e427e3e1668b19b732edd9401aaed8b7b56253ec24290b925de2a335b3fdf9b53627956f4cc3322e6aca

Download Submit
C:\Users\Admin\Documents\Opened.docx.exe

Filesize
441KB

MD5
f575dee801d644b773cbd1dd530354db

SHA1
60e78aee052af05dc3d80b64431c4002e76612df

SHA256
dfb5e14234ac442f3105261103e800b5d1f713d8f6d98cd9831db1fcbfdb5ae3

SHA512
1a19d6bbf2dd3e6381f9204e39a6e00a29b373a6a54a923bf6e21de2892f7cd7367834d610e6035242be57253bcce92925055765614f0580f940b48d6d4bc103

Download Submit
C:\Users\Admin\Documents\UpdateRequest.xls.exe

Filesize
672KB

MD5
eb91c16a7f333f0883da756638c76dd8

SHA1
c6196e2df605520b86e7c589ee75d64b2086cfed

SHA256
9f523c1b60438f18e7c00038bd750ca22ba1bf86b84977d604d1cda8c01056e1

SHA512
0e10f3c41a7c50a13e2000d03de0df1dddf0aa59e2a1ddbb190aa3af6887724e2252af27f24b8034c4baec555af12cc4fc461a49e5793194e619b18d142f7ea9

Download Submit
C:\Users\Admin\Music\DisconnectUnpublish.xlsx.exe

Filesize
623KB

MD5
5684ae9c6431bf9ff5c3e82f0548303f

SHA1
befc2f3cf228411122a89aa0b76357e18df1e155

SHA256
35d868e3b272393affa74072c22142acf1fd74806a82e7f6333f811b25f5fbe5

SHA512
ef3c87fdcbd07a8736492555cd25f97113d56cf82aaa0285ded1af2f463b299037aec6a2deb218c4e69a26c1447829a17c8ca5878bfe5ecd07da8eea00b3b1e3

Download Submit
C:\Users\Admin\Music\UnlockLock.pptx.exe

Filesize
636KB

MD5
a70b2133ee2334a945ab5f21d14455b6

SHA1
ddcbad3abf3eecd40feb4fa86a6e5764d238e216

SHA256
b7f1300cd4d8c489c6fda92ed1e06cf3c49389118a28af28b8b3eec99089e0e1

SHA512
6c80b89b5930f0f409b22b5307971e8f5ac213f64f6a941f81c13262ddafb4c668bb597ac3b904ede04d0b35192d643e251e4857a59e1408f403e08edcc0e457

Download Submit
C:\Users\Admin\Pictures\UndoSwitch.jpeg.exe

Filesize
1.2MB

MD5
765b764f3ec91b64dc76e27429b5ab1e

SHA1
79ace864635e9d3af0b949e8d5fb81ba28216757

SHA256
c56f29a2bf6c86dba7e960b941d4e05e42ceede69adebd5b446010b2d0f621a6

SHA512
2d173fae58798fdccbe23a6c9de3c750d0708f66c39c80df7b7c2238c23f0e10c136abceae1e3e4e03a98f8e407446c349f6e97752458c6a859a4ccc6b9984cc

Download Submit
C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg.exe

Filesize
1.3MB

MD5
9b1c6f01c9ac49aecb6f3a6e4320d5c0

SHA1
4055f149bc18dcbcbfce718d20c429e8a116dcc9

SHA256
d175338082d9c85f92a7915eef6d41d25a8139e9c3a5ac170f7dea8080fd70d4

SHA512
5ce04110bad73aa7bdd996de06f42b698504d68450178ba27aa5b3445b78d2f7326fc6337761cacf3bb8ad95e4732aa874033a3ab1eb1738f90530169ccc7925

Download Submit
C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg.exe

Filesize
984KB

MD5
28ebaee3e1fce7728637a97da7e18fc2

SHA1
605c6beb1c10976ce078e522f618dee2b189823a

SHA256
2f04c850b17d7fe33efda29b1bbc04c4df5374ba5726c7a90a3f07893c1c2750

SHA512
681257497d94b9cbf46d82b9f9022a3d3d4226cab167fc062a7b89c7e93f3f09e1fe7e7fb8d5821919baf32a7aada26b7c0f727afd119926d7192a9fcc982874

Download Submit
\ProgramData\AOoMwwAg\bIEEIkAE.exe

Filesize
434KB

MD5
65ceb1c6c2bdf2752af651d72d548a5f

SHA1
2831cba947f7481f0bff94c18176b3dc44a419d1

SHA256
066172ff835c6682c0382c373975b154f3ef8b55bb63f8c0ce34c58e8b175b12

SHA512
d6e309f08ea55d5e93b1e7ada689c87055d947612aed60f5ba7d19c52bc9f0562041e64074b6671ded2dfb93fa90addee784899ffe311dd78497a05be6253bc0

Download Submit
\Users\Admin\YuQYAEMs\fMwUAswo.exe

Filesize
431KB

MD5
23f08bac2d6fc3acf54b65335fe51d78

SHA1
4152a8cc1007852796f3a6bef507fecb329e87fd

SHA256
8c893be7bee1a1fc1564d075bae84ff3622e725edfb25ce16202190be70b3447

SHA512
699b9dc8c6ce1031103c207103059d2d99e982c5242afdfac71567ce4bf0458dea47e6b16b6060762d3cef16ef60e49961bd60fc220ea9e7f2d4542eaa8010e4

Download Submit
memory/240-613-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/240-585-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/296-110-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/296-141-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/628-379-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/628-347-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/692-212-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/692-245-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/944-303-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/944-334-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1240-428-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1240-456-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1508-290-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1508-258-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1616-211-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1616-20-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1732-532-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1732-504-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2104-236-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2104-24-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2184-494-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2184-466-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2232-604-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2360-325-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2360-357-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2388-312-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2388-281-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2400-132-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2400-164-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2408-119-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2408-88-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2472-523-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2472-551-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2496-53-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2496-33-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2556-437-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2556-409-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2624-399-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2624-370-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2644-594-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2644-561-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2660-198-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2660-156-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2756-570-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2756-542-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2824-447-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2824-475-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2836-235-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2836-268-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2852-12-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2852-189-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2936-66-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2936-97-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/3016-154-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/3016-0-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/3016-175-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/3048-222-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/3048-75-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/3048-44-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/3048-188-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/3052-418-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/3052-390-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/3060-513-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/3060-485-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download