b1056b18e01f75b03fcbc0fcdec284c773e3f300a8ceffd97e27dea372c29e4a

Analysis

max time kernel
149s
max time network
142s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 19:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3850dda7fa236f108b0854e1033e2483.exe
Size

488KB
MD5

3850dda7fa236f108b0854e1033e2483
SHA1

4524c13d4fcb7c2cdd7fea0b60e1f6b4553e8894
SHA256

b1056b18e01f75b03fcbc0fcdec284c773e3f300a8ceffd97e27dea372c29e4a
SHA512

8a6abd8fbb1093f25e1b9532dddfa0eb9532907d6482216214828a178e03f56b9beda8f6030b6e05b9e0b1f52e5b41e435381b86094729d9836f8b0c9140b003
SSDEEP

12288:bY7/tf+rvWBoF6nqw+RcpV4Uzl/cMG4sPY7KxqHLGbB:btbWBoEnjWcbp24sZxqHL

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	3850dda7fa236f108b0854e1033e2483.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	3850dda7fa236f108b0854e1033e2483.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	3850dda7fa236f108b0854e1033e2483.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	3850dda7fa236f108b0854e1033e2483.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3850dda7fa236f108b0854e1033e2483.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3850dda7fa236f108b0854e1033e2483.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3850dda7fa236f108b0854e1033e2483.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (58) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Control Panel\International\Geo\Nation	kqsUkkgA.exe

Executes dropped EXE 3 IoCs

pid	Process
3044	DUIMQIgc.exe
2160	kqsUkkgA.exe
3068	euAooAwE.exe

Loads dropped DLL 22 IoCs

pid	Process
2936	conhost.exe
2936	conhost.exe
2936	conhost.exe
2936	conhost.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kqsUkkgA.exe = "C:\\ProgramData\\fmoUEAcU\\kqsUkkgA.exe"	kqsUkkgA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kqsUkkgA.exe = "C:\\ProgramData\\fmoUEAcU\\kqsUkkgA.exe"	euAooAwE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\DUIMQIgc.exe = "C:\\Users\\Admin\\lQAQYgMM\\DUIMQIgc.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kqsUkkgA.exe = "C:\\ProgramData\\fmoUEAcU\\kqsUkkgA.exe"	conhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\DUIMQIgc.exe = "C:\\Users\\Admin\\lQAQYgMM\\DUIMQIgc.exe"	DUIMQIgc.exe

Checks whether UAC is enabled 1 TTPs 16 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3850dda7fa236f108b0854e1033e2483.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3850dda7fa236f108b0854e1033e2483.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3850dda7fa236f108b0854e1033e2483.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3850dda7fa236f108b0854e1033e2483.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3850dda7fa236f108b0854e1033e2483.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3850dda7fa236f108b0854e1033e2483.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\lQAQYgMM	euAooAwE.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\lQAQYgMM\DUIMQIgc	euAooAwE.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	kqsUkkgA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
3060	reg.exe
2704	reg.exe
2384	reg.exe
2668	reg.exe
2676	reg.exe
272	reg.exe
2884	reg.exe
3020	reg.exe
2488	reg.exe
2224	reg.exe
2292	reg.exe
1856	reg.exe
784	reg.exe
2728	reg.exe
2444	reg.exe
948	reg.exe
2024	reg.exe
1904	reg.exe
2256	reg.exe
840	reg.exe
2896	reg.exe
2428	reg.exe
1712	reg.exe
2688	reg.exe
2568	reg.exe
2372	reg.exe
2400	reg.exe
2076	reg.exe
1076	reg.exe
2464	reg.exe
1548	reg.exe
2092	reg.exe
2936	reg.exe
1840	reg.exe
2240	reg.exe
2424	reg.exe
2740	reg.exe
1992	reg.exe
2560	reg.exe
2144	reg.exe
2476	reg.exe
2832	reg.exe
2948	reg.exe
812	reg.exe
3032	reg.exe
3012	reg.exe
2044	reg.exe
1532	reg.exe
2952	reg.exe
2104	reg.exe
1580	reg.exe
1696	reg.exe
2492	reg.exe
780	reg.exe
1152	reg.exe
1864	reg.exe
1688	reg.exe
1968	reg.exe
1324	reg.exe
2024	reg.exe
1756	reg.exe
2452	reg.exe
2748	reg.exe
1324	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2936	conhost.exe
2936	conhost.exe
2540	3850dda7fa236f108b0854e1033e2483.exe
2540	3850dda7fa236f108b0854e1033e2483.exe
2968	conhost.exe
2968	conhost.exe
1072	3850dda7fa236f108b0854e1033e2483.exe
1072	3850dda7fa236f108b0854e1033e2483.exe
268	reg.exe
268	reg.exe
928	reg.exe
928	reg.exe
2036	reg.exe
2036	reg.exe
2496	3850dda7fa236f108b0854e1033e2483.exe
2496	3850dda7fa236f108b0854e1033e2483.exe
2948	3850dda7fa236f108b0854e1033e2483.exe
2948	3850dda7fa236f108b0854e1033e2483.exe
2136	3850dda7fa236f108b0854e1033e2483.exe
2136	3850dda7fa236f108b0854e1033e2483.exe
812	3850dda7fa236f108b0854e1033e2483.exe
812	3850dda7fa236f108b0854e1033e2483.exe
1160	3850dda7fa236f108b0854e1033e2483.exe
1160	3850dda7fa236f108b0854e1033e2483.exe
2476	conhost.exe
2476	conhost.exe
2760	3850dda7fa236f108b0854e1033e2483.exe
2760	3850dda7fa236f108b0854e1033e2483.exe
1856	3850dda7fa236f108b0854e1033e2483.exe
1856	3850dda7fa236f108b0854e1033e2483.exe
1884	conhost.exe
1884	conhost.exe
2916	3850dda7fa236f108b0854e1033e2483.exe
2916	3850dda7fa236f108b0854e1033e2483.exe
2816	3850dda7fa236f108b0854e1033e2483.exe
2816	3850dda7fa236f108b0854e1033e2483.exe
2728	reg.exe
2728	reg.exe
1592	cmd.exe
1592	cmd.exe
2992	3850dda7fa236f108b0854e1033e2483.exe
2992	3850dda7fa236f108b0854e1033e2483.exe
1716	reg.exe
1716	reg.exe
2880	conhost.exe
2880	conhost.exe
1964	3850dda7fa236f108b0854e1033e2483.exe
1964	3850dda7fa236f108b0854e1033e2483.exe
2660	cmd.exe
2660	cmd.exe
2336	3850dda7fa236f108b0854e1033e2483.exe
2336	3850dda7fa236f108b0854e1033e2483.exe
1056	3850dda7fa236f108b0854e1033e2483.exe
1056	3850dda7fa236f108b0854e1033e2483.exe
2580	3850dda7fa236f108b0854e1033e2483.exe
2580	3850dda7fa236f108b0854e1033e2483.exe
2876	cmd.exe
2876	cmd.exe
1776	conhost.exe
1776	conhost.exe
2108	reg.exe
2108	reg.exe
2244	3850dda7fa236f108b0854e1033e2483.exe
2244	3850dda7fa236f108b0854e1033e2483.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2160	kqsUkkgA.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe
2160	kqsUkkgA.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 3044	2936	conhost.exe	847
PID 2936 wrote to memory of 3044	2936	conhost.exe	847
PID 2936 wrote to memory of 3044	2936	conhost.exe	847
PID 2936 wrote to memory of 3044	2936	conhost.exe	847
PID 2936 wrote to memory of 2160	2936	conhost.exe	846
PID 2936 wrote to memory of 2160	2936	conhost.exe	846
PID 2936 wrote to memory of 2160	2936	conhost.exe	846
PID 2936 wrote to memory of 2160	2936	conhost.exe	846
PID 2936 wrote to memory of 2556	2936	conhost.exe	845
PID 2936 wrote to memory of 2556	2936	conhost.exe	845
PID 2936 wrote to memory of 2556	2936	conhost.exe	845
PID 2936 wrote to memory of 2556	2936	conhost.exe	845
PID 2556 wrote to memory of 2540	2556	cmd.exe	844
PID 2556 wrote to memory of 2540	2556	cmd.exe	844
PID 2556 wrote to memory of 2540	2556	cmd.exe	844
PID 2556 wrote to memory of 2540	2556	cmd.exe	844
PID 2936 wrote to memory of 2092	2936	conhost.exe	843
PID 2936 wrote to memory of 2092	2936	conhost.exe	843
PID 2936 wrote to memory of 2092	2936	conhost.exe	843
PID 2936 wrote to memory of 2092	2936	conhost.exe	843
PID 2936 wrote to memory of 2668	2936	conhost.exe	842
PID 2936 wrote to memory of 2668	2936	conhost.exe	842
PID 2936 wrote to memory of 2668	2936	conhost.exe	842
PID 2936 wrote to memory of 2668	2936	conhost.exe	842
PID 2936 wrote to memory of 2808	2936	conhost.exe	840
PID 2936 wrote to memory of 2808	2936	conhost.exe	840
PID 2936 wrote to memory of 2808	2936	conhost.exe	840
PID 2936 wrote to memory of 2808	2936	conhost.exe	840
PID 2540 wrote to memory of 2660	2540	3850dda7fa236f108b0854e1033e2483.exe	837
PID 2540 wrote to memory of 2660	2540	3850dda7fa236f108b0854e1033e2483.exe	837
PID 2540 wrote to memory of 2660	2540	3850dda7fa236f108b0854e1033e2483.exe	837
PID 2540 wrote to memory of 2660	2540	3850dda7fa236f108b0854e1033e2483.exe	837
PID 2660 wrote to memory of 2968	2660	cmd.exe	773
PID 2660 wrote to memory of 2968	2660	cmd.exe	773
PID 2660 wrote to memory of 2968	2660	cmd.exe	773
PID 2660 wrote to memory of 2968	2660	cmd.exe	773
PID 2540 wrote to memory of 2104	2540	3850dda7fa236f108b0854e1033e2483.exe	780
PID 2540 wrote to memory of 2104	2540	3850dda7fa236f108b0854e1033e2483.exe	780
PID 2540 wrote to memory of 2104	2540	3850dda7fa236f108b0854e1033e2483.exe	780
PID 2540 wrote to memory of 2104	2540	3850dda7fa236f108b0854e1033e2483.exe	780
PID 2540 wrote to memory of 2076	2540	3850dda7fa236f108b0854e1033e2483.exe	835
PID 2540 wrote to memory of 2076	2540	3850dda7fa236f108b0854e1033e2483.exe	835
PID 2540 wrote to memory of 2076	2540	3850dda7fa236f108b0854e1033e2483.exe	835
PID 2540 wrote to memory of 2076	2540	3850dda7fa236f108b0854e1033e2483.exe	835
PID 2540 wrote to memory of 2596	2540	3850dda7fa236f108b0854e1033e2483.exe	833
PID 2540 wrote to memory of 2596	2540	3850dda7fa236f108b0854e1033e2483.exe	833
PID 2540 wrote to memory of 2596	2540	3850dda7fa236f108b0854e1033e2483.exe	833
PID 2540 wrote to memory of 2596	2540	3850dda7fa236f108b0854e1033e2483.exe	833
PID 2540 wrote to memory of 2788	2540	3850dda7fa236f108b0854e1033e2483.exe	830
PID 2540 wrote to memory of 2788	2540	3850dda7fa236f108b0854e1033e2483.exe	830
PID 2540 wrote to memory of 2788	2540	3850dda7fa236f108b0854e1033e2483.exe	830
PID 2540 wrote to memory of 2788	2540	3850dda7fa236f108b0854e1033e2483.exe	830
PID 2788 wrote to memory of 2492	2788	cmd.exe	654
PID 2788 wrote to memory of 2492	2788	cmd.exe	654
PID 2788 wrote to memory of 2492	2788	cmd.exe	654
PID 2788 wrote to memory of 2492	2788	cmd.exe	654
PID 2968 wrote to memory of 2144	2968	conhost.exe	605
PID 2968 wrote to memory of 2144	2968	conhost.exe	605
PID 2968 wrote to memory of 2144	2968	conhost.exe	605
PID 2968 wrote to memory of 2144	2968	conhost.exe	605
PID 2144 wrote to memory of 1072	2144	reg.exe	827
PID 2144 wrote to memory of 1072	2144	reg.exe	827
PID 2144 wrote to memory of 1072	2144	reg.exe	827
PID 2144 wrote to memory of 1072	2144	reg.exe	827

System policy modification 1 TTPs 16 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3850dda7fa236f108b0854e1033e2483.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	3850dda7fa236f108b0854e1033e2483.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3850dda7fa236f108b0854e1033e2483.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	3850dda7fa236f108b0854e1033e2483.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3850dda7fa236f108b0854e1033e2483.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	3850dda7fa236f108b0854e1033e2483.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe

C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe
"C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe"
1⤵
PID:2936
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2024

C:\ProgramData\VioksAUI\euAooAwE.exe
C:\ProgramData\VioksAUI\euAooAwE.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:3068

C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe
C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483
1⤵
PID:2968
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483"
  2⤵
  PID:2144

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:2104
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2760

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2492
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:692

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2272

C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe
C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483
1⤵
PID:268
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1680

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2228

C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe
C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483
1⤵
PID:928

C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe
C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483
1⤵
PID:2036

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2324

C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe
C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2496
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\VgAMUQoE.bat" "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe""
  2⤵
  PID:2820
- - C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe
    C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483
    3⤵
    PID:1108
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:1848
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1588
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2840
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483"
  2⤵
  PID:1280

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483"
1⤵
PID:952

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1612

C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe
C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483
1⤵
PID:2476
- C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe
  C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483
  2⤵
  PID:2144

C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe
C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483
1⤵
PID:1884

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "20603859971121085826774830794643185828-1339906118752014785116172440-2081912411"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1680

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1756

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3028
- C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe
  C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483
  2⤵
  PID:2880
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:1696

C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe
C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2816
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\DEcksIEs.bat" "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe""
  2⤵
  PID:2972
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:1840
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2784
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2480
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483"
  2⤵
  PID:1020

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2092

C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe
C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483
1⤵
PID:2728

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2720
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\nqgIkEQY.bat" "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe""
  2⤵
  PID:2936
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2444
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2392
- - C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe
    C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483
    3⤵
    PID:3000
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:3060
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2972
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483"
  2⤵
  PID:2732

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:1580

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1320

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1448

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:684

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483"
1⤵
PID:972
- C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe
  C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1056

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1072

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483"
1⤵
PID:1100

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2812
- C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe
  C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483
  2⤵
  PID:2116

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2952

C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe
C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483
1⤵
PID:1776
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:3020

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2408

C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe
C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483
1⤵
PID:2108
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1632
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FWIIEIMA.bat" "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe""
  2⤵
  PID:1684
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2900
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1324
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2140
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483"
  2⤵
  PID:2736

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:268

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1072

C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe
C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483
1⤵
PID:2664
- C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe
  C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483
  2⤵
  PID:2520
- - C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe
    C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2336

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ikEswMYo.bat" "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe""
1⤵
PID:2916
- C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe
  C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483
  2⤵
  PID:2844

C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe
C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483
1⤵
PID:1696

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2500

C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe
C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483
1⤵
PID:1848
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1016
- - C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe
    C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483
    3⤵
    PID:1452
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\DcQUwoQk.bat" "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe""
  2⤵
  PID:1152
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1640
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:2024
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483"
  2⤵
  PID:2820
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    - UAC bypass
    - Checks whether UAC is enabled
    - System policy modification
    PID:3020

C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe
C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483
1⤵
PID:1892

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1472
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2884

C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe
C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483
1⤵
PID:1968

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:868

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2540

C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe
C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483
1⤵
PID:1272

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3008

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OKwUsQoA.bat" "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe""
1⤵
PID:2880

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2324

C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe
C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483
1⤵
PID:796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2824

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1452

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1452

C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe
C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483
1⤵
PID:2016
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\icwQYsMY.bat" "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe""
  2⤵
  PID:1560
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:2936
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:1840
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2304
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483"
  2⤵
  PID:1648

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1968
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\mggAkUYY.bat" "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe""
  2⤵
  PID:2116
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:536
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2024
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1880
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483"
  2⤵
  PID:608

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2428

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2852
- C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe
  C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1964

C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe
C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483
1⤵
PID:1348

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:768

C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe
C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483
1⤵
PID:2028
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:3012
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hoEccQEQ.bat" "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe""
  2⤵
  PID:1628
- - C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe
    C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483
    3⤵
    PID:2876
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Suspicious behavior: EnumeratesProcesses
  PID:2036
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\jwEoMsQI.bat" "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe""
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:2104
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:2688
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2764
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:2664
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483"
    3⤵
    PID:2436
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2472
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483"
  2⤵
  PID:1180

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2388

C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe
C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483
1⤵
PID:812

C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe
C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483
1⤵
PID:1360
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\EyAkAQgU.bat" "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe""
  2⤵
  PID:3060
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:1516
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2100
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2544
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483"
  2⤵
  PID:1552

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2400

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1852

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483"
1⤵
PID:2444
- C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe
  C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483
  2⤵
  PID:1284
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\VGwMUswI.bat" "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe""
    3⤵
    PID:2908
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:2488
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1028
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:1488
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483"
    3⤵
    PID:1688
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2876
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\aEQccgUw.bat" "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe""
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:1488
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:2296
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      Suspicious behavior: EnumeratesProcesses
      PID:2728
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mOQAMsYY.bat" "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe""
        5⤵
        
        PID:2492
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        UAC bypass
        Modifies registry key
        
        PID:1904
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:608
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1552
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483"
        5⤵
        
        PID:2524
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies registry key
      PID:2740
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483"
      4⤵
      PID:2612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2236

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:996

C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe
C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483
1⤵
PID:1724
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2324
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1860
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1408
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\AyEAwcEE.bat" "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe""
    3⤵
    PID:2660
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:2848
  - - C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe
      C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483
      4⤵
      PID:2192
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:2492
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:828
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483"
    3⤵
    PID:1976

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1560

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\JSYcggEM.bat" "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe""
1⤵
PID:2512

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2304

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1132
- C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe
  C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483
  2⤵
  PID:2664
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\HYAYwwQw.bat" "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe""
    3⤵
    PID:2788
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:2560
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1076
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:1160
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483"
    3⤵
    PID:2956

C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe
C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483
1⤵
PID:1628

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1028

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OCsskUMs.bat" "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe""
1⤵
PID:2344

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1688

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2692

C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe
C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483
1⤵
PID:1408
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\HiEcgcoY.bat" "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe""
  2⤵
  PID:3060
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2000
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - UAC bypass
  PID:2568
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1828
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483"
  2⤵
  PID:448

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483"
1⤵
PID:3000
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hoYogIEk.bat" "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe""
  2⤵
  PID:1284
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:2224
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:1856
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:2240
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483"
  2⤵
  PID:2476

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1730668584-12633011657434678198161045714649482901967211752178841019263348637"
1⤵
PID:796
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\bUwAEYsg.bat" "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe""
  2⤵
  PID:3012
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1852
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:1076
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:1756
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483"
  2⤵
  PID:1536

C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe
C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483
1⤵
PID:2720

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1064

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\pMwEAAcg.bat" "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe""
1⤵
PID:2984

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:2568

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-158913793-50774185919931235418505251261671499358-592342710-1947427421-1130639356"
1⤵
PID:1108
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\RwcIQocI.bat" "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe""
  2⤵
  PID:1468
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:1688
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2992
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\eKkMQQQI.bat" "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe""
    3⤵
    PID:1884
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\niscgMkc.bat" "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe""
      4⤵
      PID:1076
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:3052
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:2256
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:1608
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483"
      4⤵
      PID:1648
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:1472
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1124
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:768
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483"
    3⤵
    PID:2896
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:2948
- - C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe
    C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2992
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483"
  2⤵
  PID:2888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2824

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1664

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483"
1⤵
PID:2244
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:1548
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2896
- - C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe
    C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483
    3⤵
    PID:1716
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:812
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483"
  2⤵
  PID:1864

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nIQEQkIQ.bat" "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe""
1⤵
PID:1684
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2324

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1536
- C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe
  C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483
  2⤵
  PID:2580
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\iuUEkAQs.bat" "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe""
    3⤵
    PID:2500
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:2428
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2788
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:2560
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483"
    3⤵
    PID:1628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:1152

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1884

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483"
1⤵
PID:2488
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2440

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\iUQkAkEw.bat" "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe""
1⤵
PID:1824

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1716
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\MUUMcYUo.bat" "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe""
  2⤵
  PID:2448
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2376
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:876
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:2896
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:3012
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1064
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483"
  2⤵
  PID:2296

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2140

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483"
1⤵
PID:2812

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\gsooUYoo.bat" "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe""
1⤵
PID:1472
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\UswUUUUk.bat" "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe""
  2⤵
  PID:2984
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:540
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2252
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1736
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483"
  2⤵
  PID:2316

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:2476

C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe
C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483
1⤵
PID:2020
- C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe
  C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2244

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483"
1⤵
PID:1668

C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe
C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483
1⤵
PID:1616

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12284541141219104829-99634456567301985132013531586427347-18392786912030209828"
1⤵
PID:1860

C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe
C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483
1⤵
PID:1716

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jcccQsEU.bat" "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe""
1⤵
PID:2028

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2136

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:2024

C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe
C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483
1⤵
PID:1472

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483"
1⤵
PID:1488

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-742047611-5718579411389663101-1966890697096071-472142340-814219181286583016"
1⤵
PID:2252

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2048176959-143263166819078596256604312041551491508-1895770029-1548504401-93098456"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2880
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2684
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\hqgoEEEA.bat" "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe""
  2⤵
  PID:2424
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies visibility of file extensions in Explorer
  - UAC bypass
  - Modifies registry key
  PID:2444
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2668
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483"
  2⤵
  PID:2852

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1498010848-2009131079-169665501386747281-1037654509567061995488956251503300807"
1⤵
PID:780

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "8737378061995910530-1302301419-7806449171650244341-1098254314174882454569053580"
1⤵
- Modifies visibility of file extensions in Explorer
PID:3012

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XGAsEIAc.bat" "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe""
1⤵
PID:1284
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1828
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:900
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:272

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1532

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2720

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2224

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483"
1⤵
PID:1152
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:280

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VQQQAwMM.bat" "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe""
1⤵
PID:1536

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
- Suspicious behavior: EnumeratesProcesses
PID:928
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Fokcgock.bat" "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe""
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2192
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:1744
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1012
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1616
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483"
  2⤵
  PID:1976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:2676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:2044

C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe
C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483
1⤵
PID:1992

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483"
1⤵
PID:748

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\IqIEskoU.bat" "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe""
1⤵
PID:2376

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:2452

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:1864

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:1028

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483"
1⤵
PID:2916
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2924
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\VussQwgA.bat" "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe""
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2876
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:1584
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2872
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1360
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483"
  2⤵
  - UAC bypass
  - Checks whether UAC is enabled
  - System policy modification
  PID:2428

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:812

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1980

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2384

C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe
C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483
1⤵
PID:1592

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483"
1⤵
PID:2280

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1560

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YEMQUEEw.bat" "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe""
1⤵
PID:280

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2428

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:1696
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZUsYcsUg.bat" "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe""
  2⤵
  PID:576
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:2400
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:748
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:2464
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483"
  2⤵
  PID:1964
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\RmgkwIkM.bat" "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe""
    3⤵
    PID:1552
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:2760
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\gMsUgksw.bat" "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe""
      4⤵
      PID:2948
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bYoEUwAM.bat" "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe""
        5⤵
        
        PID:1500
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        UAC bypass
        
        PID:2032
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:2400
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies registry key
        
        PID:1324
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483"
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:768
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:2292
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:1992
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies registry key
      PID:2384
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483"
      4⤵
      PID:1644
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    - Suspicious use of WriteProcessMemory
    PID:2144
  - - C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe
      C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1072
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:1284
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483"
    3⤵
    PID:2264

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483"
1⤵
PID:2664
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\vyAswgwU.bat" "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe""
  2⤵
  PID:1064
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:2672
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1444
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2820
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483"
  2⤵
  PID:2392

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-11822905-11374038532055217682-2002990708-14849600481922541536-522412043-369127440"
1⤵
- UAC bypass
PID:540

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "297311680-171354389412839107123724818141628201240880195509997277039-349790785"
1⤵
PID:2448

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BsokwEss.bat" "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe""
1⤵
PID:1828

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
- Modifies registry key
PID:948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2444

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483"
1⤵
PID:1132

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2132147416195494339421415950641147126750849077617248834251450695930-1902102049"
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:2304

C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe
C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483
1⤵
PID:2108

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1912

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OqAwMssE.bat" "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe""
1⤵
PID:2264
- C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe
  C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483
  2⤵
  PID:2660
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    - UAC bypass
    - Checks whether UAC is enabled
    - System policy modification
    PID:1640

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:3000

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2372

C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe
C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483
1⤵
PID:1408

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483"
1⤵
PID:2832

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2352

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "140464239725444602-4275263821222625677-833905617-807143074-584443062-1899630809"
1⤵
- Modifies visibility of file extensions in Explorer
PID:3060

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YcAYQsMM.bat" "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe""
1⤵
PID:2216

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2740

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:2424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2540
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\UQgAQAcA.bat" "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2788
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:2596
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:2076
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2660

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "181061943861699075419295127231460467522-1552198882-1443827832-1560699332079417147"
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:2224

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1016

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2500

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\gsUoocos.bat" "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe""
1⤵
PID:2936

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1100
- C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe
  C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1616

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1668

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483"
1⤵
PID:2848

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1755132305-2111396354245840915-1891372876-109728910419941746101950342243-1177410661"
1⤵
PID:2736

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\AyUUccgE.bat" "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe""
1⤵
PID:2424
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2796

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:2456

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2988

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:1996

C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe
C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483
1⤵
PID:1160

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1625785501-2728019791717777313-1354269857182849659118705729071269378573-305721543"
1⤵
PID:1320

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483"
1⤵
PID:1288

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2704

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1552216577643045447264072633837442528-213050425435589440-585425243450405809"
1⤵
PID:684

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-624594914818823155755172935-725094924-84478917217518403347898239611288380070"
1⤵
PID:2016

C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe
C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483
1⤵
PID:576
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1488

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zQIUUwEA.bat" "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe""
1⤵
PID:2076

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:2832

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:272

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483"
1⤵
PID:1064

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1738453628206076267179318181826243667338566506385282398-552167815811834259"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1776
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\mUwMwcQQ.bat" "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe""
  2⤵
  PID:280
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1592
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\cIUcEskE.bat" "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe""
    3⤵
    PID:972
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:1912
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:840
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:1416
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483"
    3⤵
    PID:2948
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:1824
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2240
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483"
  2⤵
  PID:2376

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1603989312403085091013848228-17494570571776826388-473042620662612989-1029295311"
1⤵
PID:2984

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "3661349621896787970-1963958492-642095653-880829734-1375335885-15788658631383797713"
1⤵
PID:2028

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MGIcUAoQ.bat" "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe""
1⤵
PID:448

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:3032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:784

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-154678019165278625696889431316128444421054020154-1678033000739356821-1146812060"
1⤵
PID:1892

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483"
1⤵
PID:2020

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1190728101491057446-1714387349-1552605530893728785-53253935096621961841382978"
1⤵
- UAC bypass
PID:2900

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1862918423-1144207287-17460566781720458952555705253-13164414-717451055464805450"
1⤵
PID:2452

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "960738069-1949005834-85874818218774982078945259322081244715492496430608102348"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1664

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "151000639-122386686-150486748764656496-560349722-743721486-405895387-1091265106"
1⤵
- UAC bypass
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\ziMAgwAc.bat" "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe""
  2⤵
  PID:2120
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:2808
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:2668
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:2092
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2556
- C:\ProgramData\fmoUEAcU\kqsUkkgA.exe
  "C:\ProgramData\fmoUEAcU\kqsUkkgA.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2160
- C:\Users\Admin\lQAQYgMM\DUIMQIgc.exe
  "C:\Users\Admin\lQAQYgMM\DUIMQIgc.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3044

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmwwgwkg.bat" "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe""
1⤵
PID:2584

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-315527531-45350348547147198294892206310290359928542680141536010212-371437662"
1⤵
- UAC bypass
PID:2324

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:2884

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "270542234-1149143147-713542957-1200654333-18254544631898381691-9450238341467675720"
1⤵
PID:2100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2964

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2192

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1161546442-1222601511-132009443117564954582147164564-655165543-17991529781205918506"
1⤵
PID:1348

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\dKIQMcsY.bat" "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe""
1⤵
PID:1672

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
- Modifies registry key
PID:1532

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "9798124571878498246784292890-2066940861083744809-548565132-1955098817-671901802"
1⤵
PID:2908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:376

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:784

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "13682307371290739437-124058398510706714271209332661382873592-1122744715-854007452"
1⤵
- Modifies visibility of file extensions in Explorer
PID:2044

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XawUEEYs.bat" "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe""
1⤵
PID:1644
- C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe
  C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1856

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:2204

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:1712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:280

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483"
1⤵
PID:2520

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-539467096143985102716003601031993364690-2022000978-1222485076-188835879384479507"
1⤵
- UAC bypass
PID:1656

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "474016701826503540-1408003108101335855549731517-784491693-11058379071797395156"
1⤵
PID:1444

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CGMkoQQc.bat" "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe""
1⤵
PID:1288

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1905556483-1851503031966363200-1299787625898931322-669690928490416301-114756694"
1⤵
PID:876

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1368662587-875859088277792432-753075896-1578059491-773875445-1574662622-780825771"
1⤵
PID:2472

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
- Modifies registry key
PID:2748

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1425761650-1881388011-362831915-5493754901049449270392710569-1130715713-58189735"
1⤵
PID:2924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:2704

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483"
1⤵
PID:3028

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1668

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-8939058768724394341544560819-417320092515881111409894593-6464474052121689093"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1632

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "812829901-8104464776968418031421728834-19437731334763689151860799548-710218659"
1⤵
- UAC bypass
PID:1100

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-8734377821876581663-1956413075-1140719647-17633607951445417734-860324416-1148570054"
1⤵
PID:1724

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "134211210144510286136678655-268485824-507541696-1575229814-475189596-1755978753"
1⤵
- Modifies visibility of file extensions in Explorer
PID:2692

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "500329140465159185-1212797325-1993898669-109468728620607704031178290531308850304"
1⤵
PID:1448

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "380578150811599834-10224699041544471509-67344785-2663315911583624128-1571115036"
1⤵
PID:1272

C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe
C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483
1⤵
PID:1592

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-839520745-17607837251638282830139643603521080893451652345020-3459918112040276186"
1⤵
- Modifies visibility of file extensions in Explorer
- Suspicious behavior: EnumeratesProcesses
PID:2476
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\GcMwEkkY.bat" "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe""
  2⤵
  PID:2660
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:2844
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2512
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2972
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483"
  2⤵
  PID:2940

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-20999340221069145819-1397250810-902732000-1508903444-24268931394263155-571063143"
1⤵
PID:2344

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1357913693900595443-13215569805969747821318423930-2045234446-1255493328-33938257"
1⤵
PID:2424

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1884793297-129215838-493262981-7409922701132284356-1127317480-146115702909169981"
1⤵
PID:952
- C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe
  C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483
  2⤵
  - Modifies visibility of file extensions in Explorer
  - UAC bypass
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - System policy modification
  PID:812

C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe
C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2916

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-599342022-12224060598236921151219002823-1026484376-393999607-314307636210514130"
1⤵
- UAC bypass
PID:2884

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tMccsgcU.bat" "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe""
1⤵
PID:768
- C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe
  C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483
  2⤵
  - UAC bypass
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - System policy modification
  PID:2136

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
- Suspicious behavior: EnumeratesProcesses
PID:268
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\RSoMIAoI.bat" "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe""
  2⤵
  PID:900
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:1116
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - UAC bypass
  PID:2000
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483"
  2⤵
  PID:1740

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1917090491-121622571515699823361628581793174045572291100787319218254781698616482"
1⤵
- UAC bypass
PID:1548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
- Suspicious behavior: EnumeratesProcesses
PID:2108

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483"
1⤵
PID:1500
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1468

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2094885753-267311960169514692-13439066126208723827179997591862766719-1309175965"
1⤵
PID:3000

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-856091984687927573-571337756-1107155228134165893112289809751911078268-1232638618"
1⤵
PID:2280

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "228055893-1780880588-11175596287765881422070351195-244473106-10225095271673101642"
1⤵
PID:2524

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "19562663652100238670-5633676691108817474475160261914360151671949207-1315346158"
1⤵
PID:1980

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-409070752-1042743003-1501574191456607734-927998695-1807904068-5604748291229236989"
1⤵
- UAC bypass
PID:2828

C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe
C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:2760

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "86567023-1377465045230654568227383479-328788974-398063217-18986856261811804042"
1⤵
PID:2408

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CSMsUAsE.bat" "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe""
1⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:2488

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:2432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- UAC bypass
PID:2832

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2676

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483"
1⤵
PID:2420

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1165101735-5381954981924465837-1456611095-27474261632947502225525697-57298209"
1⤵
PID:2704

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mUQckwAY.bat" "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe""
1⤵
- Modifies visibility of file extensions in Explorer
PID:1580

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
- Modifies registry key
PID:1968

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "396966608484755988-647258139-1837372142-9590321951868551100-1736872961-404773790"
1⤵
- UAC bypass
PID:1472

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:3032

C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe
C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483
1⤵
- Modifies visibility of file extensions in Explorer
- Suspicious behavior: EnumeratesProcesses
PID:1160

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483"
1⤵
PID:1768

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:376

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "570855186-2075458814716024265-164272631-17875703581393073189-121864425853911716"
1⤵
PID:1648

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YcogIUwU.bat" "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe""
1⤵
PID:1172

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:1184

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:1672

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-70523752518582202261322276617-1419033622-1225083949140910080816561267051015943200"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1668

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1402338135-1524743972-568449360-931632392616037082-14933865119552558731307248075"
1⤵
- Modifies visibility of file extensions in Explorer
PID:2236

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-249147381279615737500190128154471622717993583-6601696583212089331995601349"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1408

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-97205349547600789-1545401480-1507948493-420907047-8767802001427265402303386388"
1⤵
- UAC bypass
PID:1536

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-919974426442967926-1526350003-1462311576-396775131-1338321459-1863234679-361587442"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\YccYAYsA.bat" "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe""
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1592
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:2952
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2800
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2732

C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe
C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483
1⤵
- Modifies visibility of file extensions in Explorer
- Suspicious behavior: EnumeratesProcesses
PID:2948

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-176956062310299521251106597064380586363-11449729092732499402035361383-18275979"
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:2740

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "844501369839453196-18949745321125762132-1393828473-9827123821696525434-1625048162"
1⤵
- Modifies visibility of file extensions in Explorer
PID:2972

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "141928328392448548813837537201950285768-238326776320388969-1998335751-1162499491"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1736

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1357231441-13576847413622690966793190184672319612039714080-556962507347580131"
1⤵
- Modifies visibility of file extensions in Explorer
PID:2464

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1864

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
PID:1824

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "19753296236876789132478264281427749462-24957301-1122267994-284779791361553723"
1⤵
PID:1612

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-927734562-19530473541958177995-9945428389423992806986178232274207871237251232"
1⤵
PID:1064

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1820739299-705380152229060771-1771741431181559291-807920076-1524558376941366771"
1⤵
- UAC bypass
PID:2376

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "7329360672262215171825815435959387318848439896-1149320877-10598973361970678380"
1⤵
PID:1132

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1038037871945732325-1036454847529290139992454846798476895-652413524-897328542"
1⤵
- UAC bypass
PID:1912

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "19514411591056085087-7940351448598244652045346946-109535195815937390081595371046"
1⤵
PID:2256

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-336069851-108274734-1095689488-503662765-661710927-7250245521882942500395621732"
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Suspicious behavior: EnumeratesProcesses
PID:1884

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\iOkYgAIE.bat" "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe""
1⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:1852

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "60892742-601137389-340851096-451516959655017892-234047247369938629-1712657325"
1⤵
- UAC bypass
PID:2400

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:1416

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1143490092-8277013201477074596967599423-1130505250-70394343917965263222010976639"
1⤵
PID:868

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1324

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:692

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-284237669-479248589-1966983600-1141890024638496119-385123711597135286126919990"
1⤵
- UAC bypass
PID:536

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483"
1⤵
PID:2308

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1084905749-4278018321107498747969052650-593413513-17687223165997423-994864694"
1⤵
PID:1644

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-143135246820937592661446538286570962570179072927263163464630971998407788784"
1⤵
- Modifies visibility of file extensions in Explorer
PID:2820

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-139536349122590244-2024671576-1192977011-778821781356451082-17974142491873483"
1⤵
- UAC bypass
PID:2848

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-57165604612495459011372795361733110463-1291672979-1926262330-398247581-1565867587"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1284

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-465989586319861071762876220148544434896212811245627694-1807026689-873906047"
1⤵
PID:1628

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1562093790-6166089171056431472-1343585246-393544243-1252107344-968082463-347431353"
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:2560

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1809131978-658141526-1853902894-673246225-1462102581-1302286606192282094-966388632"
1⤵
- Modifies visibility of file extensions in Explorer
PID:2676

C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483.exe
C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483
1⤵
- Modifies visibility of file extensions in Explorer
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

Filesize
473KB

MD5
a5025d93b53c6e5ba6117906d6ff314d

SHA1
e4acb08b794f822b6400b9886f7b328f0138c137

SHA256
8aedc29bcda67a9bab08739ce3cfc45a275a799ab00a31e48b6bd8a0b7220b3d

SHA512
9cfa8004fa4636be22eb602b22a54d716452522a9f8c3a3129f3aa39166399d7d63c5dc30b017a66200cd528412e76f7cc46964408619172e96f465c8ea73b0f

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp.exe

Filesize
455KB

MD5
e1b2b10f517f174d3d4c25bf001d4c9e

SHA1
8639fc8bb842d4acbe7e758ffc8f594483da4f12

SHA256
b54422e22472f12a038e4535a85e4d1e760207c52d2c5276aed142104328db10

SHA512
267fc3628e8b0a9e4d3d564664af9c0b26aa8cba3dc7aa28f5e82fb1161708987eb64a319309791601ed40b36c6887240f2b846df180aa428e8bda925d795237

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp.exe

Filesize
481KB

MD5
168e92e3d6d342e0473cfc4c9777c651

SHA1
33a74a2b4a5a15d35ebc1d03e6dc5fe7134b0ed4

SHA256
94ec30213eddb788456436240538c954de74ae613ae0a0dc3f438eff16df9b78

SHA512
1691214a14993b939653af05a158c57f011a6ac048a0dd9d0d38f5e86d4c7f68398e48345fc8b733dda28c507dc033e832a255b9ce009a023fa59724af7fe90e

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp.exe

Filesize
181KB

MD5
688b6dd12caa90d15e306fbe78ac43a0

SHA1
d58923ace4b004c2bf7ee4007e0d7db25274a899

SHA256
049c3cf8c2054624ea312d6f1e787e69707d05d6d45d1b0e2773224653da9411

SHA512
1ffd78a65744ca6e9f843f17b04882ae1a8843f0d77f28f1457148ab3d103be134066608f46a338104a9cee4780e1d086fefff3250d1485a37567e2f5ac18201

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp.exe

Filesize
480KB

MD5
0daa7bf8039ec3a8c7f9b384a879f92f

SHA1
a433d562d6d518ca2efab3349edb4a6848fbd88e

SHA256
2db81ca1f143f1dfe5d5b460e8009009033fd6adf6a6bf2a0201bc7d754cbe34

SHA512
38e1bc0260076ec9e0b702c27f9233ff17378cd98fce18dbc2b7b39f022bde73fd031a572cd9755c93b01271071aaae45dbe03a5497faac5605960ff170c562e

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp.exe

Filesize
97KB

MD5
fc9d02bed4fa9f07a4a5fcbd89b871c5

SHA1
a4161a48abad612958eaaa884a498eb7a47eaae8

SHA256
690dd23d57815dd811425089f0a4f9cc6f0628b71b631b40a9e1e1ffd55baf04

SHA512
674bceb41daa47492f889ad916ac7356bff4012efaf28a4ed1015af5da290c07470bb9ee2adbbd273ffe31495681b5c4fa1f6c5afd2537925915ce7220fa22b9

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp.exe

Filesize
455KB

MD5
da79d2c83f1314d0eb45bd65ab259197

SHA1
798a1c21bee824ce26132a562c84e43b9915be5e

SHA256
ba629f216aa9e3954e23be1dc51f15065a27233ecf92d1cbca862520e31c968a

SHA512
a90affb81bf3bdff087031878d9e2989fca7afce4928f9b4db4b99941a8f18d87ddbb44fbfa803f2caaa0b71bd7c8faa4b33f82e69789216b5b7d0118a8216d8

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp.exe

Filesize
478KB

MD5
78e0121d571978a14666a9348e89ca4b

SHA1
d79e9f04f39ad2789946efa3d37f85c0211ebcb0

SHA256
f7e352fcb59e1eb135d7c2850c0ccb90f15ca7323fa732c08f0ae011f40276ec

SHA512
3b9fe4a52be1bf5080875b6be71b3e7314ec50a186aa38c047d88e03b145f9e76ddbd275a03b01c5e6d8790143a2a0049e480d47fbb4ae70fd4cb1702fc1a3d1

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.exe

Filesize
479KB

MD5
ec9552a7ba6c2753e9c9ba244a2920d9

SHA1
0b6f2590641cd70e3f4f2dbad86016fbcdee4225

SHA256
23ce45edf8d9d56097daefbdbcc7b4797486d799dca396c35d335498ef396833

SHA512
825d3ae1ea70e97b265898544250419d113ad8c03bcc500a3578bc6777c74ffa276e8197abb8f684b2488b88729076ee4d505f34ee628a991014e4fc7fe1c12e

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp.exe

Filesize
141KB

MD5
b6d7fdfd70f42225dd6097c8fcb28acb

SHA1
e0bb066f255ed1e30e65e69dad803fb2b6eb1232

SHA256
f23fc687de65389c2c38d0c45ffb4f94d3d9fa6b983d7806db1e52d05bd4597e

SHA512
5aeb1750a1eff404efd23d113fc585a1bb993026ee6a1233f1485f3131cfddc025e8831d577d54a858d4e98decafec1e919b5a18e8a5bea75d2bee993097bf2a

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp.exe

Filesize
170KB

MD5
b20ebac85fdd93d4227a94e8305e2c3e

SHA1
81ecad79a6e40ce6b2c48aacd1fcc80dbfe41e91

SHA256
ac5229741e37da1f66aa908a5f355018683600f73aef461b26cd6a80a32d88f3

SHA512
6a7ef289497fab4ef7eaa05e8b5d51ef03e39fc25334518a62e40411f56b26775bf1406d1abd4a51dbce16b67ebaa37b1a7599cee3151d4428a89ccbd63b0202

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.exe

Filesize
482KB

MD5
d4808a9ebb860d0585b015d54b98ba1f

SHA1
1d7d6b307cd35261d80b77ccb1d164549c02bad6

SHA256
d964a62d65a7faed6038d9b5a280618db64a7bc210f4a4c7ca41c82fba2a3080

SHA512
8e6228bf349160d69c1472dae0de59c2ca797d34fa594a96788e3e01435eaa73872628bb1d9b0055862952266f80d7737f590e7078a2eb01303a956e715b57eb

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp.exe

Filesize
173KB

MD5
a6bcc19189e63b81a05f7119b4ec2350

SHA1
f5de2e151a06e7707358e2d0b6d89e3506587abf

SHA256
8e958b0956381b8ea16644e4afd125e5d946906af73c127e103640cee0b2ad26

SHA512
9ff6d0989bffa0cf414c5013a9f6bf38a6d2feb4f86af8687f0144fde2350c9f201b777d1faed51554726249b1cb34ee0e06c41a914312b6425d92de039c17dc

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.exe

Filesize
159KB

MD5
6cdf6efa52fa833f0398ce8fc9621db8

SHA1
ee0bf380780c9619ea8b62bece4ffbb120b63103

SHA256
a5fefa370784da302fe823da00653a00b563d382900b1f3e49592ce171d4cfb4

SHA512
2242d324a4a1decae9bd30f3b12b2591d907c0a6cfe37453d7f89c938322333d8ed8db56c204f778aa6a952ad28ab93b09efbf47280fae5a1013c141ad16b039

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.exe

Filesize
343KB

MD5
3f7fc9f5196a95d9f48862cac8b8ebf7

SHA1
e9ffd84c36d2d211e486dd6146afc7322265b811

SHA256
0ae07a2512f434848629ec1e80088f15cd4f3eca81ec32b0830e5c99ea40594b

SHA512
b9e69ed005ff8dd2210fc74d9df0f490577edeb32a13ad97460fc0cbf84b1e65332decf89274c293d4b1d066dcbcd00b6d01005644c4cf3ae8bc104ef2439aaa

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.exe

Filesize
443KB

MD5
9b040517ea5ad5e59218ee7a4ce18b0a

SHA1
a59e934cb9362a4c5c762d0392b29530cfe2fae9

SHA256
45929255a29401766109b5eae2232a776fde06d43c89e2922e9de24af199b6ad

SHA512
7d9e8ede98cb22bf002f4ab9d27a2a9392742760e3731c416b037f32564fba05b9154537dc3928f487c920b4153d3cd21b9d6e4f51580db8abe42761c4b9db71

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe

Filesize
479KB

MD5
c9bf2c87d624d7e7881adec8f115c612

SHA1
6901d35da8b158cfcb4befeabe6cd7ebb6002d7b

SHA256
6f7a1c0c3106ba6015e1531d217afdf9a5206ec6dcba54a65774f5f5923b5df9

SHA512
25c2fe3d3d90d028d20d1ffca2e204182093ab58ecfee32cc9640336f1d73ab253a2a4dfa5a8437be50526cfd83043c994dd0f0887dd17b3509ee7c3efcf5cb4

Download Submit
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

Filesize
298KB

MD5
f3cca1cbc96bc2bd08f0f0047c842b16

SHA1
be33bd1e8feaf7f6f775b3d8ab7608376c74a9d6

SHA256
5d912c7947702efc6a4dcbd6bf5b7532971112fdb6b6cd3f649d44969e6da598

SHA512
0c630c0d9bdbdf380fccfedcf874b223255e0fe74a0fedebd829292898db3dc5de50e21eff896c516de44a5ae692fd940cba9fa476475169b411e35d80233495

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

Filesize
692KB

MD5
b61464680d2bb0cf9d99fd16c51f6c10

SHA1
4afacfd2f9e139bd1a1d25b150bdd05531b48ec3

SHA256
1fc4e5f63c24eaca2883ac27b26c5ad542e76fda346b2c24a3151f61c4dbdbbe

SHA512
da479bb621874fe80c5d995839f06a5bc880d22b412f632f2d4d3d16a06b80e25aba5ba0e4f3b03eaf597cb60b6178be0c4e5ee0a789b14b68f836a3204e8f9d

Download Submit
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

Filesize
495KB

MD5
9f25425e039371b49cc90aa25143bbf2

SHA1
72057b9fba3d9c8ba757941cb45fccddc538777e

SHA256
6c22a2c45ad92b0b5159467b74f23f110700195966b61f3720150dd8a59f5e41

SHA512
396fbdc9a93ced2e15b34d64c88e87038c4cb40074628c01face453c38053e8e7a78a80be4d4a7f66c37acd5b4e5fc2ca9e3259c9ba6130ddafe06fe19d8ed12

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\128.png.exe

Filesize
188KB

MD5
410c3df8e5c1e16aee8ff194ff61c233

SHA1
e6f19b9cb16e231dd1ef3a0b2347a57fb6f3abbb

SHA256
8052e615a31519fede32be4fe6833b1ff68a2b369f704f172e8dd0749018cc57

SHA512
c4f91f416ba3ed6dfd1e972fce6b90220867c68bc1e57927d49880a5dfd1bdb8ae96563818f0baedeb242e2415837cc939c5098f1eb681c90db38d7bd169201a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\256.png.exe

Filesize
453KB

MD5
0c0e288edaec2e1db8bf538fa9a81439

SHA1
d3a53e3d635bf2a900c80ffc96344c935826cb2e

SHA256
1b16439cdeafd2fb0eb56954f587a3eeab5a6f75b6d58fda3d2b9dcf006a2acd

SHA512
f38652503fcd41f3306c75f81f5eaf6d27f1fe9bc210fecd931756ca7c2ee745cb83db363e97ce9298ee4602e276be671f4bb8a11bff63866b20f869225dba34

Download Submit
C:\Users\Admin\AppData\Local\Temp\3850dda7fa236f108b0854e1033e2483

Filesize
48KB

MD5
1ef0b094eb051cfc99e3dfa991c669c5

SHA1
2534e234cbed0ccd69f53208069686ec5c617ccb

SHA256
2e6c724b2aae160291a7df88d394514535171833eba1dd20204f9d5788f0f878

SHA512
13d11abccfef086046efa0957156189235bb2df8186ea143278ba557039b285beb55d990096456ad9d67ba700fe8644dd1ffa75d2c64b2a36ee2a9a8d6978342

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAAu.exe

Filesize
484KB

MD5
03c9275cc2ced38b74e8ea26d75189e7

SHA1
2fd9f2b729592e46cc031dce04f7a84580dc994f

SHA256
be80fd38e8ffe1b8ac9c8e37fccb5b1ae02fa860e4bd5bed538db78000c4b155

SHA512
75961fbe5246e50c9b4ce9b95fafa88abd717b44f0a9d745838bcadad0ccf0988e30ee596f0704db986f6f2422ebc3a926591474c138fa1c6df70d8d0d0e1c5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAEg.exe

Filesize
195KB

MD5
4df9465699b7a9cc6ae435cbec264c8b

SHA1
99112c894d94c46076f3b5e9d010491a371a0dc2

SHA256
e5be9db973ada4c7d4af4933cc3794460460dfcd386e6e43c1f808cb456a6ec5

SHA512
cca30712013829b4f880ac78e3208b5fe5586b551669ed6e9cfdb726172e5091b954a5ff40fe3b7321fb3eca73e5be2fb79255e72126e4716dceebab0bbcefc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIkEYEEc.bat

Filesize
4B

MD5
012f52701a351c0fd37931a6d57ae6d1

SHA1
5799c8604688243b94a1608a4405b44fb8a17646

SHA256
e040603473253ad950d52befa413ba231014700f5c91062c6d7bd1300db3dfb7

SHA512
ec987c26489495ff713e4383e87fcee6acc2d737b3b5d267e4e082620cb067788054081ffb5c677fb805f9c4a04a01ca9c57e3392aadcb15fad0be5ad710682d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQMi.exe

Filesize
278KB

MD5
974bbf4022ad2617cf388b64a1472291

SHA1
70b98be8038d5e08d65c49ef480f3b0458ccc196

SHA256
2a9fc83e71f25383859efee6ed4f3be3281bfad1a0c543bb2eb5386725869466

SHA512
88decdfaa59cfd3e4a8e2cc4d75b1b273dfb67cfaf137494d69e9612fd4be4a12058c623143ab4efd078ed7c40113e988d4c49134e11bade6f7b34c704ca1db9

Download Submit
C:\Users\Admin\AppData\Local\Temp\AYQk.exe

Filesize
147KB

MD5
aa1adfcb288a48e92e9bd65d7c3e2a00

SHA1
83907349da1ffc22eb5b7aa94f10d069ace15927

SHA256
75d3a62a9c11f277a30faf01bb530e5e6e77caadb427c79765d12a22c9cdd864

SHA512
b0a8821fa0c5e80625d21cde94abf671e401d15b18bfbca2a6e620895d51dadeb5374658cd187e11a3e13570178c04150380239cf45e39a630aa8b95bca6070c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AokW.exe

Filesize
482KB

MD5
c8228f47de66d5c6c9f7c82acd500580

SHA1
fcbfc4dcf8e2e4f1be0bfd40ec69b26250539815

SHA256
5ee4a4da5d45f7be8c6b2501994aa6b7cf5cf23a8154d2735b75452c289660d0

SHA512
538d0cbbd2710094676a9b9e2e44e0d71561e470a23bf04dde166f89e35c41ed6014c7ba5ecc1d68e15980e8e879db9adf1751a836c51e082e5ade902cee042c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AwQccMIs.bat

Filesize
4B

MD5
98ff1db344d54e633bc7e5d0d6aa0099

SHA1
bcf94a1b44ad2ae1acac90bd32cb95854195e84c

SHA256
08efaec01d22b8826f2c1f73e6c5d649c668556b5c747324dba383082b158ee7

SHA512
de7207e2114bb8872de78b1dee51f45709ac740f7fd5e53bdd6308a52da7d88637568ada8849f5bded901a79b6c9f07f62a2ea4376c727516be8c7fc18609eec

Download Submit
C:\Users\Admin\AppData\Local\Temp\BSMAUAos.bat

Filesize
4B

MD5
ae10bea55cf3c013e5ac2d9473b43933

SHA1
3ef25d38ab4de4d085e41b1a3f25d35b1f4f8334

SHA256
78b6df65b14e45cbe71b4492f0e93fee76d3bcf578d654e04f6f3d62310dcdde

SHA512
3ded8eb801a86ff8efbbe0b7737d1c2054bddfba5bd8d488d82e338939c0ad894c1d9a988a14cb5c5e67d280100ed99e52708e56b6141330727540d9b1d4316c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIsIoooY.bat

Filesize
4B

MD5
60b60474db35fde6d49d4b1ef8048b11

SHA1
190f72094899ec3407122683dbb12246e9a2685d

SHA256
2305c7fe0b9b2c5f9dc25ed1c095a565f00f005b1fcbcc732d13c2cb9f372912

SHA512
ab9f5d3eaa5abb08e093a40347f49a1c7b25f34580b371667a21834e612474504695c8f2bb00819ee52a4502fd19983218b85717dfb3d481e28385b4262d1a21

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIsk.exe

Filesize
454KB

MD5
6f285a3f6e008ded6e908dc1248d3bab

SHA1
9f292f9fa6b03417ff1eb71960a750191cb0cad9

SHA256
9209b64524c3d08b12607ff5cadb63ccc95cd6e8107c92231b4e7d4344965890

SHA512
cb3c0d44e4c6730f779439577f4896b5341e9f262588f1305715e45f85bc0058a57370dc73bcf4bbee72ff7ed6a68b9a829efd3f56036f173d4475e94cd7eea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUQk.exe

Filesize
611KB

MD5
8e721c5f770e6ba3fd6a577ebae7d3f1

SHA1
ba704d9bc26f59059eb93e7891224da68250acf1

SHA256
fd42ca5afd7fcf4a012388b8b82fd780c4d34e791d9868bef04d3e2f05ce833e

SHA512
b12df4290ba56b9af1ed35ffe73ca192fbec04971580375ce5fca430ad0b7f0d849f7b5e998d316802e9d8031630f95066127d922c2333dcc95ba9b8531296ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\CogoowwA.bat

Filesize
4B

MD5
e6c3d6236eff1ada38b40da6d7cda7b8

SHA1
a139f0c53cc8c5da7f10067cefae80a5f68e72dd

SHA256
287e32555758b14c5512a975a71159903517778a71651d1da3a96e0c90d8b701

SHA512
1591d6b87f2d5ed9b35adfe6d10e9981809be36bb5f835ed0f6bcfbd66d64eb6c7d77012681d5a4801dac85ac01c4a79f1b6a62fb293b3528a4fad1dabf5304d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DqoYAYIU.bat

Filesize
4B

MD5
c26c7f6b6ca468c7c3cb43ee3d1befe2

SHA1
a27ade90bbb38271b5691d63fba340be9260ede5

SHA256
073cfb649a77f941fd536588e9be6589507ce30edc82eb73fbe82b1785a807d8

SHA512
622d542c820e8d7d88fbaee19157a64640720e59102a5f2a459d6b84fc2363310e6173489ce0ca41c1be5f05d719734127f1a18b9faac8df92763020ea487f49

Download Submit
C:\Users\Admin\AppData\Local\Temp\DwsIIMwY.bat

Filesize
4B

MD5
063e69213218dafb1cfb1dc0883d6396

SHA1
a8d08bacafbc77be6d1ca3079d8b79d8bcc7d92a

SHA256
f745317c931cde8409ecbc63c7a0148fdfb398b10c9731b79109ce391c76c440

SHA512
0c62a527fb532595d19e0c88da5075893451a16158f7dc6ffdb1dc022f3967a57a7c6e0a996d581415f943dafbdbccc9281b9d1a515fe3e8cbf50b4a4fb0ed44

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMIM.exe

Filesize
478KB

MD5
1a3abb013b39e287b4234d81325399f6

SHA1
0bcec4ef23c71701f9f492d2714d82232cd9732a

SHA256
bec1753b720e5dd4b9f39435b081f171571a375619dca309da9c8bc80e5d0372

SHA512
2302c36be457c63c558c17da100bc315a5e724ee98ab5e60b1524bc7198f49168dcb759d820432b4074df679ee4c1fb7dc1b4b01cd6c1bcfdbc30d07e86db11e

Download Submit
C:\Users\Admin\AppData\Local\Temp\EOQcAcsE.bat

Filesize
4B

MD5
16079fcf79458f5d56647684e98aeb36

SHA1
42ae6530e60411681dd37f15acfce64222eacfdd

SHA256
99ddc668ededa46e9282d698b43491ea4554579f15a27614bf36c16a0fc88c1b

SHA512
45001ece451dca95ecba4d6eb998f60c7aca8af746912b543a120f2b28e3b1347a28f92407b6afb16c9b2707e0a3f41b75abab65c90e1e51aa6f198b6a15c1c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQwwYwUA.bat

Filesize
4B

MD5
dde4748a8e22748d4c1cfce3bdb4d2dc

SHA1
62186b3e1ac8c8826d3310802a709f82b03f2fab

SHA256
0a6983bb4f9215052ff06a6f0fd6a6e424d7825b3e89d9d0b5002badc30e504b

SHA512
f79c4314b4bd2ede99b3ea942605b360352a0c6e515e3ed73f44023801b0d968f5b92758b45912dcb98ec68baa1459f0ee6c5335d03541460738083c66cc4784

Download Submit
C:\Users\Admin\AppData\Local\Temp\EYoa.exe

Filesize
380KB

MD5
49ac2508762dad42a6f2f09d9ee130f1

SHA1
09d3de87bcb63a488e7d3fde5506b1126ab64c31

SHA256
725be9328446a575773f0ee1b8e9d9d0029b0019625f624043043ae011b7b0a6

SHA512
0979d778f2b2e9bc9ecb5082aef3e6bcf8b4a1e7adfb2d79b25bc560b4861b8a0b7294792f903306c3b583e4ee713c90b04f762fd36c940724e6a0dde05160c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\EwUG.exe

Filesize
158KB

MD5
b7d85dab7ee42404c1056f73e045a8aa

SHA1
1845030b4fe487b64a6548a82e7d639d4d0cad5e

SHA256
de39e7bced7a8b8f20f6835b9a3fd484888d6a4b1f3baaf5ff1811135774d12b

SHA512
9f32186689a1034a0461fbe6d6d268733d8a8cd9349e6cd97e55591e993c47acb7c1a265d75dc3cd551c6700a21b1e29d0b1c1106ced32cbeaa1d7e18e6a88d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\FOwEksgQ.bat

Filesize
4B

MD5
555b1c8c74da8123c366f0675d04add5

SHA1
779feb3f4dd89a62a02320629f1a2c95b85bb084

SHA256
7093d3d3bb06960f4e144ba2ba326c9f4803b476f24e4800c6a4c5e110975933

SHA512
2dd18c0a463846fb996492636b078b2460a86256a8155e79e267062d4168fe374ebbfb7bfc2af412312ed9ff4c650a1f989629537ad6cf38cd9ecfa21e844a71

Download Submit
C:\Users\Admin\AppData\Local\Temp\FigAIYwo.bat

Filesize
4B

MD5
430007323e485fe5d57202712c41fc50

SHA1
69a75856731dbfdd64614c94552f7fa86efadde2

SHA256
e330b30cca2cb8664000c80a514c5b00e4109c3d15bc17af42ad7a410ccef0f0

SHA512
68cea109690d66964a51e67e4653fbe57cda3bc9a6982bd35b09be6ae12d0105567d0cae8ce44b6b648af5580e9d862b8a3237f69ae1a9104b6c310045f274e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoMUoAMI.bat

Filesize
4B

MD5
3d9227baf5c4d078c9252fe32546cb32

SHA1
3797e78113ecb4a6afea0500a5f51f5c7cc0e04a

SHA256
bd85fc7fd858040dbd146a7833fe441eb2f1572dbd65b459a7bbfd713a417573

SHA512
01108ee08d717db42b740324c4219b91af65028fa5cd18a6a2521705ed5973031b53d35cdaff5bde291db9ecb54818024b9b8d0ab5cc523fa2548068d8724d4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GMQe.exe

Filesize
483KB

MD5
c801b2f2dc03b5ecf21ed21511923353

SHA1
767ead77a46131deb14be069bc4c8d088e902c3d

SHA256
5e66c254a193d176335bfa0b3885f84c9ab2f231a10ac7ac1d74364bf72652a8

SHA512
77f7c8f2f9e3aa5418340c80058b2b3c9ba1db76b4681cc4d59586a1e0ab38b382fb6c6542ec45ce606f0dd0b6065f89440c5a38cdf3d4f96cc0753274062655

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUwg.exe

Filesize
645KB

MD5
0049dd1a97a2764a2d4c36a47ca53c89

SHA1
46b38a3585f84e0e537f9b2fc105dd9023ae938a

SHA256
3e90cd669252ef51f7692a8d7c742ccd8be3a9a600a6baa0209adf950508f9f3

SHA512
e1bfdd2c603297cbea2f3f3fa892c91594058b73d81b65c5cde53b285ced2c8750cfd82ff05edc4937306e9f33bf2c5be33f7de63a8e5649b2f1120e0fc944fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\GkIq.exe

Filesize
259KB

MD5
92e4f21dbad5985a3b1a81d8da3e7dd7

SHA1
1c0693889b213a9fa4df998962cd49f6f20cbb7d

SHA256
87fbc2ff89eefdbab500f438a340214c1aaa10a88ca58a0e05a183d642250a06

SHA512
0ba22d158561021290fac59a5ed6fc5fd3a128d2986a1ad2b73b794e22cc99153237dbcb370f5cdae2c9f9167f919e32a5523dbe39bf6769caffd43a206d665c

Download Submit
C:\Users\Admin\AppData\Local\Temp\HewscQMA.bat

Filesize
4B

MD5
3731cc3c311dd2b6727a9fceba1dbefc

SHA1
60bf0ad19874b4f0d65ac880d3bc6b6c27173a69

SHA256
20c00c9dd0149da25f1e082bf3e1906a1d3da3dfc69a32ed8588fe883574abba

SHA512
1abfe55aec9019865ccad758b2f49928aef43add9c6bb82e4bd30eca1b18736c8534ead915dde51481e2958935ab9553dc1b05cf5a3c302157136d47667d4178

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIci.exe

Filesize
143KB

MD5
a69fd2abe1f796f0daf2e257630c4022

SHA1
d710605975e6a6415df77f9a5b439682ef1054e4

SHA256
1d14863d2bcff0c1bddb2fa990924867c5274742232639f3fac661fb113f4001

SHA512
dd210693102e6ed3ad128b22fdc1f6846eb298da180526a28043c62c31584ee7fd6b8b4007bba9cc175f4415f6af013cbc7ed3a226d9c8ca9d406cce6e60072b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMMM.exe

Filesize
136KB

MD5
609640aee9a0499952ec3ef2e5747496

SHA1
a778e3625735b18883cb819449ef57821ee547d3

SHA256
12c9e09bdefc33b25df380737e409c89adc396507c3dc0b2a352594f94a552ea

SHA512
49b44198c25833ed01b94304127ab6a1774042c19188867c1320ca41f2db4296588b55bd8de1619da9835c2f16a5e8b46975f2f9b4a234a2c0307f6f643d941f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IQIY.exe

Filesize
463KB

MD5
14bc6101c9bff4581b81f7039a65148d

SHA1
34971e53109569b0a521dde97ae302689180956f

SHA256
1ec9edd69969d4f292acdf61c7726620c23cb44d08f44b2ebd9f4411655547d8

SHA512
d8e9a35f2982a91839a750f93c6a154dcf7633dff8475aede70a1470f225e5d08556763d5ce18f51b73432d7d74c277869057d68b13bbc61d7d52bf827f4188c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IewM.ico

Filesize
4KB

MD5
f461866875e8a7fc5c0e5bcdb48c67f6

SHA1
c6831938e249f1edaa968321f00141e6d791ca56

SHA256
0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7

SHA512
d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iose.exe

Filesize
483KB

MD5
71d5689aed7a0ed5ccbdb733656aacf1

SHA1
83cfec0c62c2888d46b351760c2b8f58a91e3807

SHA256
d39cc265a9bb9473294d9c290b34723eafd94575e6fb7c2a45553e5c64005ed5

SHA512
9c99c5d99773b8b0d0b80f3bd1da35a9091c43e190e4cf2f180380b884ea9d81f4ec3a0cfb9c77c3ffabd1f2aebb40ea586b517f567dc2eaf6f422a0d15d36d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iowa.exe

Filesize
478KB

MD5
bbc9c77956905b3a93fba5d02d8d620b

SHA1
3f8b5ab25f87d35a3251c0a1beb8af5e8ae34029

SHA256
cddb321ba8be581ead08c6d6a3a8ac434ba1177a9bd03ba85617e74425fdd18d

SHA512
6cdfa013e8d71a94c179c4a131918099b6e0930d34823e4858514f9f9499ac08dc7c084c39923dd45ede371ed5beb0e9eaf3f25e5cf6e81c6135488a13f3b61a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IuAosQUI.bat

Filesize
4B

MD5
44c70e54c438b281a4d9c799a6f300f5

SHA1
ad679795148350be09153803461d0609c8e5095d

SHA256
9fdca9530d6f32607838b73db8d5d9657cc3836d993a4fde9d070d2582cad482

SHA512
d71680ada52590158c93f8c998d01316ba88f77aa0d0c17ee10ccee6d432a85dd806658c27ab558167f50ffd273ed3f190e7530a616c97a9519623b2dd910e29

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEUe.exe

Filesize
281KB

MD5
84028093ddd155a72201e7233b50e20a

SHA1
17437c434ff77dbf5b04db79603c7a404fd340f3

SHA256
d8b3233435f47df4e9b6bf6add423d7a825696cdcb2d207c96b25fb9692aa13e

SHA512
4326daede72f69ccdfa83ba4a9b4db79c1012d4ab681a91e951c384b3dfc78050cfa7f04f1a0b0e459be2dc456ce771f95a5b4a0711f6525a32c9037bc119024

Download Submit
C:\Users\Admin\AppData\Local\Temp\KIow.exe

Filesize
416KB

MD5
5aeabde180f047c8a1c1c26d2ced27a2

SHA1
97f1b8c1f02acf593d16d9d855d631f93c6933ba

SHA256
a3c4d2d7c197f5af6af5d8b6640afc8d89bc3e3c24512d9c6d3a22b756be586e

SHA512
15cd9fc49f23ad0f61713e19c0a9a9709992c5898a3595e55bf576bf755733a19761560d1622ea912db29730cf14e9567119123fc83ef7b5eddf1c71937ea7ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\KWIAMkIE.bat

Filesize
4B

MD5
0982e6a79df7748f41ff08c8007c2645

SHA1
1a7ed41324c7acaeab7318e6b9f8cf4b806f4d3a

SHA256
3ee06ac918c6e68a831ec78533d7b3a3679767521f8490418617c1343b6c3afe

SHA512
0987b3ac51313ef4043a2274418d9c699b71b00e3e37837f08932307f834f2ff6fd4212c3af0d347c55a6a639e98492c7f771d026d0f9526c6c0f166f598ce92

Download Submit
C:\Users\Admin\AppData\Local\Temp\KYEC.exe

Filesize
477KB

MD5
13b0c5f2f30cebe7ac1c0cd322fcec57

SHA1
6ece79af1f26c6642abdd6ea13a54665981d7152

SHA256
b746c2c44d1b828766926bf6df4690c09337030f977c1128351c54755644f6cd

SHA512
2385885a849dd169f34a0531169e9f0b1066fad79e8da7e4541aa53f5e5d01feb1d79a2a88d12c1028cf24ea7b43764fee5c113d71e89938970f60514e824be3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kkgu.exe

Filesize
480KB

MD5
06ca132beb74a98d794c39807e7d93e9

SHA1
a2eb6ef1465550775e92d723747525e443c37c21

SHA256
a8b0d72c5c03a334dd37bbef2d36230dc74ac6dd9a6b99ef6277b3fa4b86570c

SHA512
c1628e4e0ff6ddccccc362f5be8dc4b1a5464e86e7d49f1812d9869b96f029cbfd63031dc231427e7f7182506ab758e593ce204e1c4b06c135def8694762dc21

Download Submit
C:\Users\Admin\AppData\Local\Temp\KwEYAQAM.bat

Filesize
4B

MD5
bbc4fec758c21f739f4d795c569d84d7

SHA1
fa4fb9c5ced8c2d134893848e7c6d604a2ac4f6f

SHA256
e6ede0b8a79018decf71b60a0288448f48016957706fee265419fd071eb504cf

SHA512
c04a49e53d31ab51c0dfb355b95cfcdc1396099e2575f53d6eddadc9c98f5eaea048235168c334fb2995a4aac729337a20b36d427834fab80d5a294d1d5f345f

Download Submit
C:\Users\Admin\AppData\Local\Temp\KwEa.exe

Filesize
445KB

MD5
6d70defd082b92d05090b8174f503ba1

SHA1
2b45bb5eff8baf258be4ddbc43f25b52f9725b3d

SHA256
9a8873f098166457f7a3734f7d1c9a69dbd113172ea4a72c8658c4e1c12edaa7

SHA512
08ace2f11931c2d9842193421f758919db31f629174875a9aa3148a8c8e2e6a032a4d53a5dbdedf64db77d6968e4edbcf4a5a00db4266f0363956f9004e4bcfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\LYgQMgUA.bat

Filesize
4B

MD5
5aab004dd5a7358768e0700a549f9b45

SHA1
9715b9f481e8ad74b481377497cde7a8ba05542c

SHA256
78947285d03e6cbc96f9315c167ab75dc0b00d2640ef27a15c669873e88e1714

SHA512
316b34fe6af76d9a66ce736c4d20d6b4a559cfa905d4000faca34d398411d809d5c7609de525bcba6e4550c4075ee5e9bf132d3b8709e2821b88ba2cc20871ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMga.exe

Filesize
481KB

MD5
8089be171720f5d6a49e2137cfd79cdd

SHA1
33ade0b605e254f7effc5c5f7663233a0c392ee2

SHA256
83dd7c14ecee07d36539dfd822636d4fd363c99ef69040b547b3dd1333beae17

SHA512
e3509e3af46909db8fcfbbd86fda25da5fac8be2f9789d6438c4f85d81530afb8b3cf96a0c12f7f742c519ec1bec7a3973dfdf67b4d26aa0d72a4c7f01e85742

Download Submit
C:\Users\Admin\AppData\Local\Temp\McYE.exe

Filesize
93KB

MD5
ae537059d8e9a1522ea55073e697c8d1

SHA1
fe8c1f5c6d604e4564d4608ba960371550599091

SHA256
7a8489e6ff3fa53466d3bde2bd6c02b9ca8408a7208dc17f4beddd39a7f0ba3c

SHA512
5f1bebddcec13cf464b3b5547ad59688473c47c54ded3299efa0bea71b90a71be5d309ae54edd20edeb30804ccd7f7f158466a9c61a48040b99fe102ada93f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\MggQsYwM.bat

Filesize
4B

MD5
6cba9515afab249f9cb4d50d3471bf80

SHA1
a3ee6755554365a87073fc552cbb8192500848f0

SHA256
83e265f5a3751552a24ab4b0aecd11e9a2fdbf09b7bde0b100d12006297a72d7

SHA512
33f1ab71db00ddd51a4b692dae21d465701541bd936305493f78c1566fcb7f2e0b7662ddb02c9ff13ce739981ca46b06b922b9388373107cb58c8fdd8a3d1871

Download Submit
C:\Users\Admin\AppData\Local\Temp\MwUo.exe

Filesize
445KB

MD5
2f1a47711766b21c209304126d718478

SHA1
3fdfb1b1deb004a716ad3d27ed9647515d5f3a0d

SHA256
8753d79216eb9413cea1cd6f4286c9cf8cc8bb357bd478c5d0f4faa193390dcf

SHA512
61d39c52e8902372acf1049ad0673da309e25c8470364cf4b5cfd75f87ecf144d89144c45199c0978532c196eec070e9d4bb0e70d93905b1a74a4b38e33c6aaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEoa.exe

Filesize
132KB

MD5
882344ec05fc38ec9a5afddee05e9c60

SHA1
ed89292f0c8bf82bf23239dea6750915eaf16b85

SHA256
75ea6aa787c20e54815754e1fb993fb7c04248b8e4b1679d1cf9e29c0ec08e13

SHA512
cb1eca7fede395d418fcd020182f27d774618121fd989d5368277dd6f83c962c1da1bd45ccc22ce57fac5434442819b2316886e7c7461bb46d50729219d890f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEsG.exe

Filesize
552KB

MD5
5ad5f2486005e7113af6d8f48806e9fa

SHA1
8fb8037ee762e1dd4bd714dd8780b34b1317c1f6

SHA256
b61d99055d9b5b123eccf3c6d59d2e68061bbac04e65c5b20bea3f58e3d118e4

SHA512
9be14204e366f1d47e89d196dd98d66cde20f5cfc7dcac66d8a966ac8d3319ae027d65c929aab061b06a2acb0699d61995fbbefd97d0b5e41a5c331335c2afe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEsc.exe

Filesize
480KB

MD5
b2177ba77b6af20efa21ecf0fd82b356

SHA1
f6ab496c8b70cb365ce8009f23cf1c0ed14a9663

SHA256
6f36350fd58a83faca3d4afeade472397033c00ad6985ecb0cde0e1032977d16

SHA512
86b67a741e08c17403bcc88ccfa76e0418c187a7d8f93e73705082a989353453ce7ed9c91b647d5634a3a5a276b0e016205dffbff14ce16aeba9339b5f504984

Download Submit
C:\Users\Admin\AppData\Local\Temp\OMUK.exe

Filesize
412KB

MD5
9ba526a0b6325c4b5d80bf8d126c201f

SHA1
536ca710b4b0615ddebc0d651d3923bae7b3aa19

SHA256
001039017610a2247de5ea7424928a32bebf8edf83b1090df67362ed9a72e515

SHA512
bc64fc37de6381da49fa82eee26adf65a2f3a1a92c744c9985e005fa06bd2deac5036c69155423c2bde3fe90f5bf74ab3575ab3e1682b5e2d5bf67fbcc509012

Download Submit
C:\Users\Admin\AppData\Local\Temp\OooO.exe

Filesize
481KB

MD5
d097f1c8da65bc9d6edaecf08c13bf3e

SHA1
28f0f273ccd3c4f139a0342bdd634886e36537b3

SHA256
57b50e7617c128a4f3f671c9d9b33f57cc04d295f6ad72948d2559d822538b0b

SHA512
970a9c69653d0df1ca1725daf61c72a04da1cd274eaf71dbb69507c01a273bbe152185997075052b5e7350b47d590c044631a709aa2ec25f4a2b5482020be516

Download Submit
C:\Users\Admin\AppData\Local\Temp\Osso.exe

Filesize
189KB

MD5
a03a6e8a1df6321c153c7d76efaf5486

SHA1
13f6e64d3603c7ed1d09b6b65f8f67cd05cc0671

SHA256
cf080fcb7c5f5abeb244c2c3fc8e84b0019383bfa19c4b7fa549360db46f2ceb

SHA512
ba5e6f41611b15e6d55c050ea41f1d2ba1acaa840b5e2fb5c707422dbf7164f630855392013532a001715f6eef604c9b63c4bc1476eab98006b82d695d516f4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\QKEMYsEI.bat

Filesize
4B

MD5
a8ee74c95b743e6e1e61f45adcdf3227

SHA1
a9a7965db1b759326ff60b71004c52ac9436877b

SHA256
b82fe3218d6939832e224da735ff87d544f9f8adc77d85715326a767c8baf885

SHA512
40f9008d98878a0b22a9b088be91860e6fcfd25e84451188141b5e39f7e0d5d958251575772ef525cc570b35c0c4c88098b8f5f430ca4bc60aebf9031be70f36

Download Submit
C:\Users\Admin\AppData\Local\Temp\QcoAoswQ.bat

Filesize
4B

MD5
1ffbe31470acc18d273635986e40ec08

SHA1
e6112ade3feffeee334af9619b9259701dfd6626

SHA256
90a6567b191b3eee71855d7625589b1ef266157d6302f7f20c2709e037d5721d

SHA512
9b88632652540631cbd5d56701c13361c7c95e2150ecb292a2b23fe5cc73128a82474cb46619a4e156ad1085f8fa014b09139d541699d6404a9159ce97ebb056

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qcsu.exe

Filesize
473KB

MD5
ef08f840944868b65700c53c9df05769

SHA1
9f721c166a02bb76bf79997cb52e8c5a73a48a3d

SHA256
38a725587fbb5a17b8948649b91cd5b1c2b934271c3e8eee2627d3a8484d85e2

SHA512
ab354a28d0528d87d13b7cab9ef7dc8f64abd4ddfad4f3f8f073a7d8992c98e013d94b06b2fdb334df8ab796bd4f64b679fec3e32297c6e6a2cd01c250c5fc0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\QioYAgMc.bat

Filesize
4B

MD5
09dce2d067bee39034675c7e1ebd68f9

SHA1
33e525d222332c114e1dde7691771f26c2351905

SHA256
1870004e138449c465880c58160ab71c48d6ea3d934ab725ab7f611a51ee7725

SHA512
23b50606fa2eb8f44e30c90c7e16a10aac63da8518279deefb161d137d11f79e41519ea2336d712fb6021af9893e0308ab92a4398394b6c3f16bd012c460d575

Download Submit
C:\Users\Admin\AppData\Local\Temp\RAsoQIkc.bat

Filesize
4B

MD5
faf23526a0634b458e2ccc6de49d0e7e

SHA1
92fed717d82cf519e3220220d85d2d5717d3c138

SHA256
c1985537cfaff83d6fbf1bd152b10d6ce57b7d32aecb1250c325643a7fa2284b

SHA512
c688cc4aa029bf7f73a66c80115459ba63c215ff2daade93db799dbfeee30f76dc671bd3e30a8b09aa21cc1d162836952019aa05910f5dc7c8891df4392afbfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMEA.exe

Filesize
301KB

MD5
8ef3d9de070fba27850ed7b2d0628aa1

SHA1
1dc99335dbad64554015adfa4dd2e09cad9b48b7

SHA256
80536f6163922789dd792ac815b4d5e8234dd8b05d81166e47a627e03027f85a

SHA512
52ed0c3b73d03ed3dce9bc248a33a2653bb37cec25fbc876738d150c42f698de34dad4ee0f19e0539d9873cc8107600ec6e9e38f72669b5b6259a6eb022f72bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\SkEs.exe

Filesize
442KB

MD5
037fa1d16de2e5044a9c83a374cf5e9f

SHA1
bc62c09f852e64bc4c037ddab6dbee9f9bcb3b26

SHA256
59a0bbb0a7e6e060f7394dfde768d76b61c0b39627a64dedd786b348b6cc626a

SHA512
5d85f3e89b5629af5043bef86f26084f7b24fb87f1a3c8c85eef8e53533adca63cace7a6e45556b9aec6286f19a4935865214a9f50e39d233be98ab301dfdedb

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoAC.exe

Filesize
220KB

MD5
fe8065420c446dc75fe6418a07a688eb

SHA1
90dd93e31ede51c8ffa0913e11fb8f8a34846c94

SHA256
115403146fc934752d5bb29aaf414aa03d634acd072a38d504a76eaccb36d6d4

SHA512
224342e3d5716419ebd2a0f35156e100ec1be30c38a39ad11feb49c48bf80d89084ab53d8dc874f2be6bfdaeace94a6834f7ad433910f1ac02176f5d8b78bcb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoIm.exe

Filesize
175KB

MD5
593b56c35453aed922013cd5c3cadc01

SHA1
519a05b3d1547efdc61ca63caf99d38b9f67760f

SHA256
d9d95522b1ebdd32d1d9c5d6f6828be3fc2d31e7fc528088644494d3e66b5af7

SHA512
fa39f9278683ecb7fe585d7d70cf33e44d1f7d08f03366721d7f61e2ebffb4444eff38538579a94b244300c14e6eeffef5f8fe339d6b4c0604163065b07cf451

Download Submit
C:\Users\Admin\AppData\Local\Temp\SwQG.exe

Filesize
418KB

MD5
78a41ce6b478b7f15e9bd2dbca897478

SHA1
f218b8fad426d9d2723eba2a1efb23c89a775bac

SHA256
e60c02b72c97643bd29542249a5a0843aca2f4d55b114e00f17afb55f67e751c

SHA512
b6a882b0a543fb6f1eb982b2c304aabe3121b2f8064da3e9cdd44e99468eb14a4eee709c02b49c7ddc2923fa8310a7d6c9d6de88aef15f44d024ac4e1cd40fe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\SyQwUQwc.bat

Filesize
4B

MD5
771539ed6e8eb25b62a60c0acedd15a2

SHA1
a32218ef38042c4a13235a94b1f39ca5fc24146c

SHA256
b145be324d0375b003fb25ec366f336c47460e662680894016fd5f6d5215e90e

SHA512
245ff0ec05b6bdbd63e20ed350f455fb5294f70f9ebf69566b592583a4c0bed110704561fb1f62cb9e67cf1cf8d9d104bd5a4e41870f7079def778ed598d9ac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ToIkMkAA.bat

Filesize
4B

MD5
abb25f2b06d9bbd26427e02b2351fc60

SHA1
747e436c092ecc06fcaa22491612701d9b51bec0

SHA256
5633a4421519e3c216cc28b0db4b0223a8f6ab9c03e4b5a2cc3f91436fd56144

SHA512
735d97a42e03fab0657455d1d431a5b950cf6ba48257eef6e6dade0b8a99df653a887b09d17a702cbe6bfe187f9d9602a56fa8cfc1fb942893037f09283bce42

Download Submit
C:\Users\Admin\AppData\Local\Temp\WSYMMsoE.bat

Filesize
4B

MD5
da04a0acf7baeaa57e1de5a8845f1e28

SHA1
7df27ff5853d1ce4ad04f6d128788f98adebc647

SHA256
b550d0acfad93e4c788361355a6e1803baa24d81515320945fc675cd54e98d51

SHA512
07f25b2566b769d558b21455120691708b51a9e7dc179a84d231edda9bb5efd5318314b2927984130b6bf68a89304302e7a9d8a2dc0f7656007877de8094dcf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WYcw.exe

Filesize
592KB

MD5
3221bd3f4d9a8892e6454757f2a97ec1

SHA1
d3d407ba6d4260f96a6f48227098efd4eadade91

SHA256
e87aa8c1a005db8894cf9b5bd1f5e90a121fab20799b4b3fe6a5f552790029a1

SHA512
4ffd1e8594bde038d484c40f8240f825a64240ec7d7761939e8ee7df335a1709e72c3b095e6f185578d9397ddfa5cd563ac3af23e57db93684aaa732b59b03c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Woke.exe

Filesize
480KB

MD5
0ce2e2ee1a222f483e44272ec66068fe

SHA1
63e2b8ee96c438d8d36ec58673aaa081fc2c9555

SHA256
d8f9138104eb5db10ff83eea0bc3e3b224e6c795235ba998fd5f942012b02062

SHA512
cf3cf77ca5f542c93a0ffd4064ea3a8b1749e7671fe453a85abd2a7554e3f2b5022de9d0ebdd3a82774c224683852ca043d02493b3dc60a5a6e0275fb7d6c25e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WwMs.exe

Filesize
481KB

MD5
a36018080173f87e3a6422e124539403

SHA1
bc180b43a0820408938aa6c627b2dc74ea3024dd

SHA256
3e50f9a84037cfb0a1f1d60f47cdb8499149694c4463c963bf79316e6a8178e8

SHA512
69eac57c52c302425978ff6d42696ad005c202d27100bc5de2f0b5eebd72a4906d4265357d4a603324055229e70eb36ca99dc7c8d125233fa43cad6c19c230e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\YMsQ.exe

Filesize
563KB

MD5
60a33a58839c6eebcfd27acb90a1fc07

SHA1
a4fd65fe7f097f4564774d3bf894b5853d1fc6e1

SHA256
cc5e54214da86982317a3eade94e51666740972feb2af2d46e3d82c638db7546

SHA512
5f00106c8ebf5c5f1f3b2255c458259da06158e67d350dd822958b113a3b603a4f20419c6b99388f2c7c426e2811a7a5a7be3f62d8cde09f555e3fc6595f2b7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\YUEA.exe

Filesize
479KB

MD5
dca8034f9c06e9b1565d5ecb18fc2cb5

SHA1
2a13d21e283feac0781375a51f0aa9bc0c4c1844

SHA256
20b0f402137bf92ca783b0ba7624de05f6dc03033a1768f5d90938d2b4c08bda

SHA512
a9490a2a1535e282f632970ea0ba5553868e07be57919c13fd5c2e85bdea8aea1ba74aa6e5f6dd9f7ae06a95bfde9a783216bb4bad92fba98647bf2067924d79

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZyoEsokw.bat

Filesize
4B

MD5
2fa92a62dfa2e17a0f92be868892fb6a

SHA1
38ea064bd37a905f018754b2b4770b11e02eaea8

SHA256
774b2cf8c1afbe686e5813a12db17eb0a2277399dd80170cb01605b70f639975

SHA512
427bf294ea34601321af684eef9fe191842ce86931f1e0edb58d6d2174c29e0ee17edcc85b0b20116bfa1ef6e213273a2b1021daca23cb015fb944a15f650533

Download Submit
C:\Users\Admin\AppData\Local\Temp\agIi.exe

Filesize
438KB

MD5
85e99cf76312528e0e84c2528ad2d3dc

SHA1
8a27fa2056106babdf51613191ed275d1d3d1741

SHA256
82c2dfc219e47aa0517ec2e20afb4f2dee862324044dae633ca19a74ebb2e3c3

SHA512
228ef98623e4cb55664d1563238a4c0324705bfcdda276784cde8236c4f4ace1cd241e4cf247b8310f40c21fbc57b46fd5ff3ae65c1de3e7a048afb59c83d741

Download Submit
C:\Users\Admin\AppData\Local\Temp\aqss.ico

Filesize
4KB

MD5
8e03abdaa3016247fdd755b7130384bc

SHA1
08dd2d9541e1961b06957fe9a19ce83aeff51a5d

SHA256
42b58cb0928fd8fa0e0bfb129fae9cfc3b7d3230c2c9c367f0a17c4d0039aef8

SHA512
e282ec1c768aee026682d4c6a8e71d643ac4d7dcfec027536944c658d71b7c484aab2da6990c324d9677d032a86c1015020efcd92c9923dcc21e4e5ce5b0e26f

Download Submit
C:\Users\Admin\AppData\Local\Temp\awMO.exe

Filesize
401KB

MD5
82944e4cb5925eaa0e050d11e5281b90

SHA1
2ebce62ce6831796fae1e163ff95b8a373a9a3b8

SHA256
7018933aa0cba31eec56679d7ba878be1b068b43e6ea69573d2a662914612236

SHA512
388c64a62791bfc80fc227a08ddb25b0aa168b948517aa3b9f59be391e61890dae3780ab0a378891d7d4e283bda43be13f2ebed5781e32ddb6cf65c79df57c54

Download Submit
C:\Users\Admin\AppData\Local\Temp\bOcUsIsM.bat

Filesize
4B

MD5
ab669577b6aafe4bb7330ec27ce883df

SHA1
c88a4ddb04592e2117e3d7e09083f7ef7f44c582

SHA256
a7739f9ce0dfae7c85c601393aa3295d2ea26be662c9d1d6028ab6bec70e950a

SHA512
3c62fded4f45a18f98c41bed82dc6eb62a597fc8f3054c54b0c6356fbf8ddfcffbb05e9d911e30aa66266acb9308854d140ccc156b715aaa89087165fc259545

Download Submit
C:\Users\Admin\AppData\Local\Temp\cUoi.exe

Filesize
345KB

MD5
7fb4c3f25ac35586fea508c6e6a3e026

SHA1
b5e725f2003a5fea40fb12abb07e1b4e2bc4ae42

SHA256
4274a2f2d8497cdddaff96d451bf6f612d257f1defd432556758aa8d2f0cda8b

SHA512
8826f793b384cbcc43fe01102c2b64939cd296cdc2591f875327c2c1456a2c87b65b6ab93735812dbbda2f951fd1a5db11e74d23ecc8d625daed466150e15f52

Download Submit
C:\Users\Admin\AppData\Local\Temp\coQM.exe

Filesize
387KB

MD5
25299339ede674bdc3a3d57fe8b0594e

SHA1
b00a4573e25bdc61e732d02cd7d37402741e3da6

SHA256
18f97e5515c64f0c17bfc2437bab47f3737b689a4e623f72c7849ec49364359e

SHA512
3de724e77f689e5fccfc5155010a6d2e7e280b7d41d64fa6275c905804f74f9f0a3efa2a5efc0c3a9fa24ac59cdcb261b4bf41c7ab8bc67ff080aa89d7720217

Download Submit
C:\Users\Admin\AppData\Local\Temp\dYkkUggM.bat

Filesize
4B

MD5
54e5b753abd1260ee0910d0371b1fce1

SHA1
4832910ebaf86d660dea36d4f0f9a3ff532fc203

SHA256
263a2084c5d45816a392ee94d73fa3c3c80027a9e7356e0d809c955010e8417f

SHA512
f5cdf47ddd1dae5667ff533801b1d82bc15ec4ea3822e6d2a9cfe604bd4332352c1900996e4e60d4d6317cb1efe296d90b0d3cb67e8583b36dc64123f8a9aaca

Download Submit
C:\Users\Admin\AppData\Local\Temp\eEwe.exe

Filesize
191KB

MD5
ae669a1b8a22b4e23e1e2edfa6c357e8

SHA1
8308538586c4abe28385fe667e6e96301bc1193d

SHA256
788abe5d2e11a980887ca979c9021a32af1b6c1b8f2b7c4ef98cddd84d3a69fe

SHA512
a9e5c7cd89795b099ed4b5931512aab2ce994a4ec5a88bad1d311aa54f3cae5ebc1cd32aafcc64d88ea7e8e228c46a1b4d8daebed0276f10e4aaef430b9c3a6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIQY.exe

Filesize
438KB

MD5
a2412de957c45b4d7a9a139a5fe52299

SHA1
d7b319c234dd19763dee105d04624c22494c5b27

SHA256
4b484adf19284818cfc8d433b1690a0fb52fd64bcb61517cd0f4386f1e642b12

SHA512
f48144d0eecea194893eecb10e31715cf14041a619f68afae90403615308474c1977a5cfe6718f90a6becef759e158b269e1adae474453d66ad929d0e7be4568

Download Submit
C:\Users\Admin\AppData\Local\Temp\eMAa.exe

Filesize
479KB

MD5
2417512b37496b82b2688b158d6434f2

SHA1
7e7bd0b7f2ffca62b67924140d9d72dbfa65257d

SHA256
750f4976b2e76b51e2d2b9951b3768e1cbcaaa15a47dc4ecde226548051b7239

SHA512
7519f7e3b80025bdfd1fbb100b1cf9df62f135a646e64beeb8fd9396ac263fb3aabb91cdea9c777df576700c998f85a28832b4c65c9b08f18666c3b70b805e57

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQwy.exe

Filesize
403KB

MD5
c61d74eb5bed40dea3ad507ba79fd66d

SHA1
f3c2ec925313e1d31868fda6bf33b3be36ac8390

SHA256
2b1dc381e1215085f2230f896bf8c745f8f20ca2d7c0c0452d75ce360f44c61a

SHA512
e2c6d82705d370fb26f4ce2203f1cd8d5fca2d1adea96ddfdb027a6519f402bd44c98402b65764d4e6f289740e5676228f820e5b615afb8fd2e6661b2e469f4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\egAi.exe

Filesize
238KB

MD5
a68407d8bb0a167b04fabcb4d90db272

SHA1
5221bf26e8b296f9ce77a20d5e5b82e60626b678

SHA256
aeba47fd03b4085af18cec3388c3a27066ca3ec044664ed75a897d3414f428ad

SHA512
5adcb28e43f5096cffec475a859c9822c4d4b923efb49415a7bd6e0be34c095b830fdc97313fa74f0829d286bb35b5f9e92ff25647f279eba92703447562a231

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gIEm.exe

Filesize
439KB

MD5
37cd002140ee1c1ee00ba285a2e5d8b0

SHA1
c7205d8c53fbe9cb8ae36f082a46ae8813b31945

SHA256
45aa72a73ac5f7055b0a10de9a9ba0b928b1f6f35ac88568e2f4c202e78235d7

SHA512
21853a27ac2769a7e0fbe2f9fd139a5fda45e24df43ed5038e2b37d70a8c18e7127e9a19895a0b553797dba5af8fb41f52fb5514052db8e60c9c8e3c5dad808d

Download Submit
C:\Users\Admin\AppData\Local\Temp\gIkk.exe

Filesize
437KB

MD5
f93a3cc7d3b6a0c529e551839af8f46d

SHA1
92bee03d29f3bda87e5eeba0732f6a2ccfdf4291

SHA256
d464fcbaa3fbf97336044a4387707dc7d807b0dfe7d9aa38eaead8672da86f7f

SHA512
eda2dc85a02605a91ccc7c6a5e1750a41bb8f46b8dddb591b6e9754c2bb2debd208abccd9384a5aeea39d69493c6b6f7a52db9a020c71d43c8feffdbfef5f4d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\gIsy.exe

Filesize
114KB

MD5
17da1bd883e8764110b06265be3f2bcb

SHA1
6d8b9aa0960c68ff0bb8e408d092cbd4d941dd2f

SHA256
5c7babea30001f193301ffe2bd611f26ecb94b5ed626beeec98d9b0074ac009f

SHA512
965a80fb93d3db32d2f2cd0f3b58c7683a1ed6a74e562c5073e7cc41963de8063751a3112dab0dfd6b004a667d32775cbc9f7347af03a28f9e39db234a32a16a

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQAY.exe

Filesize
74KB

MD5
b9ca225e0d6c3d6461926879618bdd9f

SHA1
b1f6c072c93eb8dcd57e038040482356b915f403

SHA256
727031c0a56526e1b039ef8cce825924c9ca3a5a5c0a68730ffe31e6106f28d9

SHA512
0527eaf4978b0d0912ccbdde3a2669f8d765c217fbb97ad8088ae8b7a0c6eb4168f07eeaada3cd5205ca30cd9da666496932b2f3e35eac790f1aae38c546a9e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\gUEq.exe

Filesize
333KB

MD5
099464eebab971adb3f635a1a040e9a3

SHA1
fd2d0163445a710e3a2975220d5a2bbb372e3cb2

SHA256
ef0aa157ec2183d28e64fea4f91b617c492e3188db2ac1a9950d84ff9f94cac1

SHA512
335b7a99a1e6065984f61e01babc7d04a3888eb9bb245301f8b015057e62f9c358a36674337e1db2a2d78821253a2e973c261ea763517abbcaa0f2eef3625a80

Download Submit
C:\Users\Admin\AppData\Local\Temp\gUIC.exe

Filesize
305KB

MD5
ac5e497630c442e2db0e766cd3563a0c

SHA1
dd6e7335960d1e05e4aa41b53ee6067996141249

SHA256
ce1f39fede77288cabf517a4ad5fc6d6b4c47453b446988c122635140f9ced1f

SHA512
e34485de797b83e4f2c72bd23ae4b9e905a7267d491df58f6e2f5ae16d2b9c86fbbb8c48a147ae608b1896beb4fd144e919021bc5515826b75db39ea7221ecdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYUMAYoY.bat

Filesize
4B

MD5
c03a0fb683ab40e169cebd1aee9fc0f6

SHA1
4d92c63394f0de11c3fc0c9d828ce87934f4e00d

SHA256
22d2da50828db557982b629090bec6d560dfcb3a4289388db306a54107e91560

SHA512
7356845e196389b74ddc103a9a441b0237467e4b86eea7627e8cd5d6656464a1aa1b7a0b458e6e514797496721302a9ef57a1760a9939c7179d46c06cfdb7513

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkYQcsUk.bat

Filesize
4B

MD5
7b9c206c092e5a82f1f7ffa719d15651

SHA1
e72feeeaeca2353ab7df72a49c448d20291df3dc

SHA256
242deb5b02915611db22bb3f671d6fbb8a201a0e10b2f37928d0363f610e1c57

SHA512
d077d4b5661b9af2ec6518cc7c8a740bcfb2bf7fb3a4650581b3ddcea80b1482148a0c1652255e71ef158be5ce04dd46ca88b16e95ae553d41c4a3362a8deb49

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkss.exe

Filesize
342KB

MD5
f23aa823ec986f3bb701aabda1e43eae

SHA1
c7a2479f7167710499956f83c9489f48c086341c

SHA256
86d044636a58cf2b2c31c069b91ba9a6b0897311a76460b55c2fa2ed8af50db2

SHA512
1a5bc1e78180faf71ce4dc8cedd2cac529cd60d3913b948c81e1395d02bb38c681125b30e88e9ea2cbb5c86296b90c4f76a789f6817a16376a9e0c6176b5b73a

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAQO.exe

Filesize
97KB

MD5
69235d5cf0e4627f0362ba46ead501e0

SHA1
e3f65743e3f6dbbf470b95abf95b4e901aeb5847

SHA256
716b289ce33306a32ab8a7d9e11f89a26283365d4741bdc819ed7e84c3c6e3af

SHA512
64a7feae5e5de3c7d4f4ca76f5a58430eb72800b29d79aad1530f61ec4c91c7014c3ef1dffbb6c02df0f1bbe5947de0e3516bc36ec4f0c9c35063830ada645a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\iEgUokcc.bat

Filesize
4B

MD5
441ca69051b7d97341874fd2e8c987de

SHA1
29b48b2b4b0c4888583d29ff90ca4e6ada408cbd

SHA256
d4d3991e2b982077559dc60e1337f951e47cb4ef600709d94de207d37e507251

SHA512
153564e803b894a182db9367c8cf7514453743b5e1ebb4359472d57e5393219aa4c24ebfca46112804ac7b519eb1c4174dbe3fef3007c1e136bc90cb7033264a

Download Submit
C:\Users\Admin\AppData\Local\Temp\iEks.exe

Filesize
167KB

MD5
98494ec56d424eb24b63849d17000652

SHA1
2e2084761047ca0d4b8fec927e3b85faae5b9af5

SHA256
8b24b98171c45924ad48e3d9c57aa172f529ea79b6fb126951571d2a9cd15ec5

SHA512
3cce9ef5d77aa7e4d4307984b9ed5b612bee4a04d90fb4d1159e74db5ed7cd30475d95fcb0fa82337e7bd9575e5fbe4ab329f5b2c974b956f365a977757fc826

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQoo.exe

Filesize
193KB

MD5
768d55c8c2d1a0b78fedb8740e0887fb

SHA1
27fd07c0f8971638d6a6e842a27b578ba9e5d231

SHA256
09ad5b2e8f28afd7a6844d54869eefd0051def7933861ce8250d32c6a450a122

SHA512
7df728acacd282548339a86effaae1423f52bcf37e750b84526674d5b9c0e7839c25e2a2af3081d0495c2df06447361436f9e87bcf8d063b7e172fec3c41b277

Download Submit
C:\Users\Admin\AppData\Local\Temp\iSMMowAw.bat

Filesize
4B

MD5
06a5687fa7e7bc90982ce2d47736fd63

SHA1
810da7f97bdc7c07c1715c3b6ad081f6f831beeb

SHA256
08ac99805e2dcaf4f7a4888e2ffc97dc69b5876d7a16ebc922ff90bd68b7d0d4

SHA512
8fb1e79d2f87625825696862b455cc69556aa4d050a85474e50e952251c064811f305f899cf59f0bbe76ac87d6fc973e027b95946239f4137ee1c945ff20bf90

Download Submit
C:\Users\Admin\AppData\Local\Temp\icAQ.exe

Filesize
442KB

MD5
1cab0a38649513ec7b3c370747db5b97

SHA1
5b33bf8655d89565bf9ba298781686292fb9bc54

SHA256
e320296c80f8e6d0d3f797fb3f7a6797609c683d14526bc87f315e75886f77a5

SHA512
a5148eda123d72458234b5be9945befd540b9e4c21249ffcea3797bcec88833c53d6182b86724b56b766f02c3064d55bc6e1d03ca7b0deaf76f5afde309e6a23

Download Submit
C:\Users\Admin\AppData\Local\Temp\iegQ.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\iioAEMkQ.bat

Filesize
4B

MD5
62735e6871b5a94234bd9dc2139b4a33

SHA1
8eea3406454bd5c8a0a7678ddff3b1ce0d44fa30

SHA256
165487c079957532754b6a0b2984bc3b5c727cf0255daace1a24b0b592cf2d19

SHA512
38d0d3623f3981a719cb1ee91b04a1bb02625b4f25bf3e7078d17317aae8b147a3d00ba8e21aeadc7a9eb5fb877fc5e4cdf7f126860f906cf79d3bf4d4671e67

Download Submit
C:\Users\Admin\AppData\Local\Temp\iowG.exe

Filesize
481KB

MD5
33de01181b7bc694eb2e1440b4ff3dd2

SHA1
ba19c3b2a7c0937390c2b417d09f75296169e9e3

SHA256
b0f32185d8fe3a5adf37698a06ed1c0b320a7f36bdb01414b493536290f5af47

SHA512
15fdb4bcad295981e8d94a9864c380b8fe38f10f6930a882f5a73416be52d9e57fc9b84baae8645b7188721261bccb99ad236526b4e18b749eb154628378c9ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAAI.exe

Filesize
174KB

MD5
c84d144bb0ca2c2c58ed5242f0dc1d75

SHA1
7283e079cbef3122b176ec175327c924d54360f3

SHA256
2e9940f7e6ed5d4d40d5294633fb3635b42622f5c6925b57eeb7c3dc2cf2d547

SHA512
e09905986dad434c491818ae0c526737382344d3ad6bbef53e857f0a6ad0b123b67b577f4361d2b77c1c009e4de0b74fd6dffe6f4cd0301833bd3976d7e57a0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEwA.exe

Filesize
438KB

MD5
433e818faa558c84f55935ba56c84ceb

SHA1
80d6ae7becfde8b32da25cd28655a3f35b228222

SHA256
fe9c502e0e4c5743539ece09108be62d4934b79ac58426491912498dcbb1f3f8

SHA512
9477566dbd7c9186a0e2e65f028111c0da8da62af7e12aa68ad30aa96cd38e159d17cec659f7a6cb91ef872f34a4fd5fd240d6e8b8ccb96f7bc6960f883e13ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\kIwO.exe

Filesize
481KB

MD5
43036d9214d6b7f4b73f4bb593a49b37

SHA1
b7b826fef69999469f2b6b3e240c75e2580de070

SHA256
9c7250178d4f0f508c22058dd6932d8b496e7c6411f4247dd6124fd7eb1edaaf

SHA512
c6225da64b2d6445d7a8028a8c54db3f98aa137f334bebdb6e7a79ff3f43fa617f795b17d2f88a4a90cecb27825f293cb86521531ca4f1423f408f449580448b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcQa.exe

Filesize
418KB

MD5
b5dc4fed97d4dfaf142f05d990c89c24

SHA1
d791242527b0a4f37512956607268a3dc63b0bca

SHA256
c5e4a2ea68e5fe5516d963efdb6c952beed88694ce4e3c198f7554887172e72d

SHA512
e56e41348ca95f89cf8ca9511980821af8f35f8bdaf4d125d27da053ccbcb249d0607ee40737c19b695babd0470ea34dd35d0aa7db52f6885d8b259ed5bd6705

Download Submit
C:\Users\Admin\AppData\Local\Temp\ksgU.exe

Filesize
526KB

MD5
964da93d00f234a962d2795872008198

SHA1
40a50d7e2c45417d5e022f9ad34b4a144b9af4fc

SHA256
1781cb557a0fe019007feb087ab5e9a5444ff1b71cdfbb37e9b4302d7ee60d91

SHA512
aa6b2ab4f43e309070d8d9dd4d443d006b7485f7750a50f6f1ba7d11f3e89755905b7a3df8895f9f0faf81843259009f5788442127e49be3b5f073930dba956b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIUg.exe

Filesize
562KB

MD5
663f659ae1fdf9ef2af052f82131af25

SHA1
df5f78c772a9f764c699dceb44300798bd222c7f

SHA256
89f57ffe93165b478536944f56806d0ef75ae66f6d770c5f74665208ba702eef

SHA512
9a0f32a3ccd534c62835c4fa1b67bf5c7d8b4fb03aca93a9b843533f05d06ce6befcb77f4d766d513df3ae3ea0c3ea6024f4eb0fe2bac7e140052d382a31256c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mOEoYwgQ.bat

Filesize
4B

MD5
20f700146e218579f522430540720b71

SHA1
1c13fd4573500feb34df06493e9a0990448f89d8

SHA256
620c9ccb1e4dc33fcad4bbcb98a81829f098a2fa864e424a0278c30d1c03a81d

SHA512
b8a381d06e5b4b8346999589347c33397e1ddd91f44645c09dd92f1e3de2ca3a2ab23997b6abe44827709feb246286da982d6194395e83c35d44e7dc6641a1c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgwe.exe

Filesize
478KB

MD5
df103f97a404fb91f14b5a3b4b129fed

SHA1
e5acf2f526a4c5c6cf5f54f662e9b40c942db08e

SHA256
04145971aa90cf888d958cce3b62afb3b1a4d5e7c31b44e9fa5dd9aaee85b2ee

SHA512
0f609a74be805288b96a74679f18d444e5dd68df53818dee3abbd18b19651a54654e703c33aa3fe12213936e5026e60df46d5259826e9f1d35a6df8b0a42f7d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\niscgMkc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\nqUQEMYk.bat

Filesize
4B

MD5
f7d3c5a43f9f5b36512ca8990780eb0a

SHA1
4d2435fa549163ef7f23beaa9e4a56fcd0f1c1c3

SHA256
ad7d1edbb8568baec547f3748a6753e56cab9900cdbdbb7186a498eb96d040a4

SHA512
c0f34734bb94b47c8959f3d22d2d47771ed80e07266b80b9ce2045975d9ca6944ff7f049a4a9464a9ce73bb0757ee5f8439f6d24b452ddde533fbabad35d10fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\oAwY.exe

Filesize
213KB

MD5
4ce640a2d988ce3618de371138fe15d7

SHA1
2418140c3c6132ac0be2c2b6682d645538c48773

SHA256
111386c1adc570634a4a122519785d930dff3f3bc9c88131678b4d9719b8fe55

SHA512
4025af7e1cb775f0b82cca5edb8c792cc9318d47a7fda66fda6a32ca0b49e2831e44762acbedab3594c5393f0d6eb353fbd8bcb9513083958483e323b5b2a330

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUAw.exe

Filesize
339KB

MD5
6a760ffc362079cef1f6a51066ab837d

SHA1
238fe2f10250960ebfbe698b57909e0ef3d1b670

SHA256
ff5dff1d7178370944b8fa951dfbef635cd9d12d7647683aad7821cd5f4b6684

SHA512
dff1cd5da866bb3a09d8303b69560800367ebb3599da9bdb5d4b6662772a0e24f9340f1f13bd888dc7bae14336397ec745e0a72a49c646674d7fee4b0d5e486e

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUIy.exe

Filesize
442KB

MD5
d7d8eadda45ad7ed2e5f5f2f4fcc874f

SHA1
e2d38b0c63cd400f56808dcf7c6d40c829dcfdf6

SHA256
e707d03d42b5279aac8e4d1a8436d2411bb1435cdc828a2a18ab8b8ea9308571

SHA512
cc2e2b831e2273f59c5f14401d3f49159bda9ff683ce56a047aae2776beaae907ac0effff42cd6e8c78d9cef9c79a33470aa494d625bb94070eac9c432c7995a

Download Submit
C:\Users\Admin\AppData\Local\Temp\owIG.exe

Filesize
434KB

MD5
287236799d1b2835c69deedc764e1290

SHA1
7a0564ed8585fc36ccd1c3a118ec149766a5661c

SHA256
ad757113e8ccd8fe7b276c77b389b0b9148cad7eced626423f4a9914902bc9f4

SHA512
78bc6292525e848a4fdd38cc9402881c8727142a486eaa144ff44fc271d00d3f839cbb8ddbf163c07d2896aa3cfbbdf84b6c4044844fcdec3d7eb6296f5e127b

Download Submit
C:\Users\Admin\AppData\Local\Temp\qIAa.exe

Filesize
562KB

MD5
cb13334f7a72b222b14ae9aa8edf26c5

SHA1
b8af229482756d694f6704a3195c260455b57c82

SHA256
28594e746b69505f4627b89b3c009f8dce32f8608840c4b5b65e446512bc89b4

SHA512
98e07ed45839cddfb1298653fcc9609029e007fb47a8ac16fc1d6a8f26f3b9806eab76838c4ef60432ba3eb6177f2291ab7dd4ceb6fa07f139c51a0da94010ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMIK.exe

Filesize
149KB

MD5
1021c0f689a686cc4ed45ec4b92bdb83

SHA1
496e64f39bd411550819279aae0351931c306367

SHA256
893cc166e5575ee8339276f5be378f9551f045aa8ae352945dcf7854bb5c94f2

SHA512
ec403dbcf034ca1fecf670927b2cdb2443e243e34629228039d0c2f558c474ba11d7c9d35a9eace9b68f661952d7a95be40823adc01ac7cd58825b97293469e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMwC.exe

Filesize
438KB

MD5
ab213a4a0b510b238ac3c988c5bcff26

SHA1
24423307d0720fba73e53d1f813d296bd1a1c519

SHA256
44681a60f6ef624183101e6f013f9f4ec5dba189bb2780a120a03f1399ffdab1

SHA512
9ba9eb8899a04fd3c1a15fd8f8fa713988b30e39828fd2c3fdb9ccc3ee56dcef0693a7f9acb06f11d9fd3a6de83ddd7aa2eb9edf0991f7f95eafb4b475dafe99

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUQgIgok.bat

Filesize
4B

MD5
848cfc388421457547f756620fdd7569

SHA1
93941e791743a3676532bae9231fde5947d92d0b

SHA256
a8c9e8780a22f920f87c010833540e1afaab3973e7d66f4a800816751ba656af

SHA512
e984c97ca36f5f5cd4a2f52b88848fa712bcf05a808c071bcedd43d52125b288bf09184ecd8c034130fd25a1c9620555df4b97007c6cb95c1fc277e91c651604

Download Submit
C:\Users\Admin\AppData\Local\Temp\qkAw.exe

Filesize
319KB

MD5
1d78d7be7ba426573c13db2f3cccc66d

SHA1
0bfadaef38c434399c31a07234094c568286896e

SHA256
1bffae1a171c62683076f0d6f611a0cf45447865cd3f994ea3eaa0051fbd8753

SHA512
f5771bc35c2d38a983838c9266b8d4b7aad1e4a18268c0c403052510605af3d83b369944b7dff91c3095e0888f7318bdbee03601e41cf78dc4be77fff1e4aa90

Download Submit
C:\Users\Admin\AppData\Local\Temp\qkcI.exe

Filesize
426KB

MD5
eee080f7d25997d5f2da9cdfdbdf78af

SHA1
9ecf570ef0e62d561302de156f0e4bec4db59979

SHA256
844c3221e8e5cf5b15ed873b23e353fc70610ef9629f298099e86ad4afb6bcc7

SHA512
420a52ebc1d8845436bdd7cb87dbe54d06f058761ef218857536e3c1bfebf69f3febd83c44790af9155828e4e319e0bcb6a4af18f0b8d941b15f42873912d178

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwgA.exe

Filesize
442KB

MD5
68a72ee3c5bdc5ccc71a11854c310a60

SHA1
8941db1b140071c4cf184a87a2c917e0fa4738ec

SHA256
2b7468a2dab3c6d8c3ec7e94b0ea21b354e905dc0346ca9f679975b6fa5509c1

SHA512
c8423dcbfb33af813b06e6da1e5a74562f75818a8ad4086d43833b8c28c6822336ccbdd5db1f269dc3c4779675fa90697f11e30aee5d2751b50df1f40d20965b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ruwEswQA.bat

Filesize
4B

MD5
0d9240fa850646684a2e14969a2e3439

SHA1
4ad5f0ed84c0d43a0c17ad1cc5764a532429b577

SHA256
b0127ce28f0676e4cbe7067eb674c6071f847494b4e21c31bda9115b0443bfb9

SHA512
72b93dbe19bf97993a15d3fd39d14d7fea486a1c9dae699a6ef0ff08909979930b83204a81adffe8f783a6b2468ba7b1a06d6d18a836147e92e9e35f243137da

Download Submit
C:\Users\Admin\AppData\Local\Temp\sYwu.exe

Filesize
336KB

MD5
6d05d95c781a4c66309957684fcc9371

SHA1
c118b3281f8205c8ad024e05bf1dd7e64a3e7eb6

SHA256
f701d9eb9e16354a2e78c3545c892ad4ff5949e1551a74054c57b2f8ee551abf

SHA512
f7d1a04847c13e28c6021c1f2704678cbad245001c635c0761a59f9a99b39e186a25e205156c87895b889285932dfc7676ea97c7af561bb85f4cccaf298e6ec2

Download Submit
C:\Users\Admin\AppData\Local\Temp\saEggQYw.bat

Filesize
4B

MD5
65d361e2a3cc9bf5860373bc5d452712

SHA1
e8e8e270d7687e6fb4f0c1f8e71c52e572e27911

SHA256
d397aad783ae725391b9a0b93f6e1d2323e96662ea6c0d66b9733fe5bcc76823

SHA512
dfa450b45f46851f8247d1d7eec91246f032062eb892dc8546eed17f0b372c5afda199c9216af8d317473b5f4f8347b326587dc68ab381dfb22ba966976b80d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\scsE.exe

Filesize
107KB

MD5
0f93fc6e7a725ca9e923ef225ce6733d

SHA1
2d32e95e3334490966a99838cf9f1ae667fa79e7

SHA256
12c196eabb200a6749c62bdcf2670c6d3e1bed68d88a539ef2f7decf420bc7c5

SHA512
5bc34e5bf8c262e3c73183cef833497ea292ab974ee4a1a25ede7e7893c084ef2f2775a1ef580c3d9bed673bb71c060161f9f63b996f436b96dadbecdf2b32b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\scsu.exe

Filesize
108KB

MD5
c543ecdb04be159c3c6e6c3e983a0ea4

SHA1
17c95800f93b63668d8ecd2fe645c40c2ae94fec

SHA256
5e4994c5ffdb003e8071c46e340090ae18e061562fc8960c2b033ecf4ffb958a

SHA512
7166e1e9d263bb312011ebc1bd57acd1320b95f9866f0000f6e95ad730f7acda1d952cca93da297265b1c6e04eed592dc0c637e107a302f4ae6b0a6eedb1603a

Download Submit
C:\Users\Admin\AppData\Local\Temp\swEK.exe

Filesize
313KB

MD5
e0fdd695318f2635d4f64294235b8f87

SHA1
bf55ddc78f1b0ebf9ada05ac2a778aabb5b45bac

SHA256
449af407f0cd5a0fa54f5ff2644ec4a7146ba3fe719e08b47b32b32155538603

SHA512
f833d22d06879916475e6c60c1d1f66cbb14d6112524bd593332f5e7003cefae6c35f946d6e5aa3e84d8ab8c1a67137b63796cabd71157974ea14007bd0beccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\swQA.exe

Filesize
391KB

MD5
1744c203870278a8d83bf565538b641b

SHA1
50cc142380d632a4886ab7f735a800096fc3a91c

SHA256
c44ce7c9e2f18ca3d8e4634a1f4f1428c77fc505121541bda8a96597480f202a

SHA512
3c9bd1a845e0c23fb788491a42e337a3c37fe6e4c70ce524cb6eacaa6ccce0439ef332b04ef2242c380ce4414836eabb3dab0e2a14d2163f4e2ccdf8ce07554b

Download Submit
C:\Users\Admin\AppData\Local\Temp\taUEIcME.bat

Filesize
4B

MD5
892e5d1dbc23465921015f5ef0891c82

SHA1
aec4898f62d93ccb761c46fbe309afacced0639b

SHA256
b6af0c22ffd2d06d5477f341fdc1bed13ebfb82ca47e15de58734879b68ffbaa

SHA512
1cf781eca16fee6e087d890ef988ed97664943131abae0d2845f6b71c257a35e95c4b7e01509ae184f52b9e04feaedd3496d83a6abbe310d9f67ca777c7ad78c

Download Submit
C:\Users\Admin\AppData\Local\Temp\uksW.exe

Filesize
153KB

MD5
84ceccd723cdebe713cc966ebb3dc1ff

SHA1
df7cbf3d1d48cb87a334dda040635db6638c4781

SHA256
8c241ef7f6dd98b7719461b2b51bb45baae09a6df3d49ee47a6320eb6d15db9c

SHA512
e4b6a2f86f6368fa4346dfc99f46624c834f0eddd590c7d220180ce3bb6c0ab3156b2e1a4766cf51df8b6420390f45c290c903bf1f97d587a28df6cf47e49c48

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAMA.exe

Filesize
439KB

MD5
6d50cfc1901325b3d107f5e9e0a747a5

SHA1
9e91a7149d1c21c24e1f2d9c53dcb2f0c774f8ee

SHA256
6175630c71bb061c00d518e360f0105ec8a095e042c42303d95cd0052760ef94

SHA512
0861c7f50fdc0e69e126b4f938066bee000469ef482eb04edd4d467043e5f0bd8738e064ecd78b62f46184bb63588303a8935a9b7c8b7028a0dd16cf1a91177a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAcA.exe

Filesize
474KB

MD5
25ceb1744f1f074c9b634892847436bb

SHA1
0af4daae8a34e65018489545ffbab4f1165b96fe

SHA256
7c5e40415a850668e92aaa0c78d569cf4304d0ae965c5e263ac85a65e2eb0c57

SHA512
184ec04115784214b1777e62eb91c5b81adab7c73467e03152ecd931b4633c9630f0ca19096d6e714d953b425399dac6970c7ed13137c25aff5c1e2ab8b73aa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\wSos.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\wgwQ.exe

Filesize
85KB

MD5
904791e1a56dca3235088815308a2e58

SHA1
9ae60b68a3bc361f787679ab8fe595db6e834bef

SHA256
aa0126bb6765e2ae9c24f7eafad1723d070f3fcab1473c03c970255d5db64686

SHA512
49a2094861add4568faf4cede3511697b0cb7f8b23a6092f0fd4a9f4517e64ac37f23ae5da99bdfd063dde5af98a42386a3ced74d64961185ac9a69cf3af450d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wkAw.exe

Filesize
232KB

MD5
ca8f280daa77c1f39ab908ca960c6be7

SHA1
b3188a859a5918b0718110240ae8ebf3fe56981e

SHA256
2b36e275ad3301c4e63f612628d02a68c067603fc1956554b8e65b5aeb5a85b5

SHA512
616a389422b9f38add404e6f7e5baab281f6c30970d9dcf128114e026ab4bc3a7078664905a9e51b66876860b21c537de4060aa6d7cbee012e727ca9cd30ea86

Download Submit
C:\Users\Admin\AppData\Local\Temp\wkYY.exe

Filesize
391KB

MD5
ae00c2bb1af52c8b17ad6a26f9ae14d2

SHA1
9a0b3f17e8929a2f9d87b687837c8dfa5019c374

SHA256
29dc9c6d32593c71d1907d86c8ca206e1e74541f37431630bad76aeb598e0798

SHA512
1834d14d7d19146fdfd5b9b0037c0258c409dabbb3f671d23a5095442df885dbd829b58ffe32076c09cf891eb343e0c42f7244688187391169a4863f6bece41e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wwMo.exe

Filesize
141KB

MD5
cac43924509557d9da5b2b0916c02b6c

SHA1
86034cd9caaffb96a8009c5ddef65c61d95bb91a

SHA256
b1fe9ab3c5367d4aaa52fd2b41b4b63bd9a527f7e20e703fe66394bb5acb4c99

SHA512
18e48556d282425bfedeb24cd9972c8a90e60c7de8bc6a531b6d6e6618978128f1e786fb80334212597013e5d9928ebf8990613d99ccc05db388acb79441adc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\xWkUkEkY.bat

Filesize
4B

MD5
92acb5f4b2661c66c9e6e8d053c937db

SHA1
ee8618f656fe4e818f47dbead9f079ee643df882

SHA256
8d5ae4b00f59feeee6456d1803817c932fb1bfe536ed4f4440f526790edbcb5d

SHA512
20824164ff84c40ad2b73f89c57f604d8b773d19b3746a3325526f51bc28eb556f25daff08a4075260e43ab1b86e193e0c93ebd2e28542fcc8ad95f24523265b

Download Submit
C:\Users\Admin\AppData\Local\Temp\yAIo.exe

Filesize
318KB

MD5
2b37ca47967c3ed0b984b2c236dcd4d0

SHA1
7374a0984cb22b467b7c455514a2e827e359bc8b

SHA256
6e553092d63e145b4ac7074d8761c8293c5af929c57b1312febfe83164343219

SHA512
aa7a0835ab34af6069a9866025a6787c8d4fa0668ec172266558a7a74d55ae812c799e0578ffb766c11607e29d147cee291c47f064b04d6cb9e1993442561ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\yEIAwsUc.bat

Filesize
4B

MD5
7bf56d54af32313a649125cc8d8381b7

SHA1
248253d645fe80034e5fef5f62296378d5ece6a3

SHA256
39f33bfe9322e59ffb89d6dfbe569f42b343c1370d3d43a0bb679576c88caae1

SHA512
33c6e4ab48fc9e043513c798a2379afcd17d58ddcb82e2ecf025e8d5a686e29c076eeeac9a465c8439596ce2615febefe9074aad3ff2e7a7ee2e36708ab6371e

Download Submit
C:\Users\Admin\AppData\Local\Temp\yEUEowwY.bat

Filesize
4B

MD5
a1c5882b13d33a90d0c1cbe53dfbbb65

SHA1
be876c37ed1db6d5b6259b9d4cd843e38ac11ba7

SHA256
f636c9363aad297dac7be5b741c34a44d83e03d3f9e86b5243b29247788a66af

SHA512
f337456d3d005ee3db5bd0b06e44dd078cca093aeb0e993a885eca38c11953214f26c837773032eb55166b2305b2f3a19d2e3b1a194f46a6f55f754bd777bc53

Download Submit
C:\Users\Admin\AppData\Local\Temp\yIQIsYAc.bat

Filesize
4B

MD5
fcccb0f1705068eed572e95b668517c5

SHA1
9f3a111d6b850f6b18fe00ec9716c035a0e34301

SHA256
45b54916c94e7ece1fe924d629623c5684b40cd1d0ddb4106db4845c1e0e7abb

SHA512
f58d7fd8a456070f33e0c9d07e820bc6c8940b0a1c4e1dbe7968f79f41868b6aed0240b7441c5255faf2d928ae47a811d94f5d13ab0151a2b5f0a64e2bc51660

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUAS.exe

Filesize
169KB

MD5
6cb3fbe30d59a4832f87156156d4bb16

SHA1
be2c1a69f688555dfd6f2a82a31b22253fee1632

SHA256
6f7acc101d893a188719a45744920ee5f0a190b4d5cdfeec6b86123f593709ca

SHA512
9a76293c3925e3d546b62e5415bf549160557457d69b725eed1641e5e83a9738b49c90d36f8f0db02128b9e2308418492a78ecad15e5f3e95dcaad46e75349b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUEg.exe

Filesize
443KB

MD5
e0f4ad86d45b244649845916851a1f2f

SHA1
6cde0dd39d938d2d967f80205ca983ebfa2c5150

SHA256
465fe37e4598e6aa9fe7578160393f5e6c95516958e76e8005afa74efc2baf78

SHA512
bbdb73159760674aa5d43fdd083b2f6b7d801114dd3451b66259e64e0a042be99f28dc5ef5ba144427ede610b5c2fd4c97dc9ebfcdb6fcd16fdf01220e3cc0a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUMS.exe

Filesize
458KB

MD5
d4d1ec373c00e4253ac6f667239ef9fb

SHA1
27e3399e47a528a156cc92a43bcf9cf09e052422

SHA256
6a24f61b352cf6db2ccb1fd3ed55608a1049f62e90d57fb92560c8987d70125f

SHA512
2ea59a2beebd1ae1bde254dbc59a713b81d21bfb74c63e6d882fa641781a0328b6896e4000c77e727db9347f62862061e14bdc77daabb6c3a8986212d9e1845a

Download Submit
C:\Users\Admin\AppData\Local\Temp\yYoI.exe

Filesize
411KB

MD5
72fc89cd45949171ded252ba7a3f1582

SHA1
dfa9c73e057426e51bea6a0ce08a8fea967e598e

SHA256
d8d87c832730287c5f2b7067121aec017fb054dd3c99abb8d9b1652fed59c059

SHA512
ea32d2f09aea1c7ab3e2e4635b0f50d6e54cb29f89375fe0c053ee09ab1604ac59bfb077853c2dd76c9a2b05274da25e2444a2f95b2f726cbae8d062a56fea3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ymgEUIYc.bat

Filesize
4B

MD5
f8b7fbaa2abfa3a0874947b7c06dc3dd

SHA1
399a1db70d6de3de9283ecba7175b8844452cf19

SHA256
640063ee1b6279b3f6b549fa7ef0f678000cbefaefb67afb05d4434013c36245

SHA512
bc8c615a48c823c79566aba641a648db37a30d35873e3cbccf1e4acb25eb1807160c406d863ded47754d55ca216213a61e4159f134347885de3dbf85ee41bd23

Download Submit
C:\Users\Admin\AppData\Local\Temp\yoUMMYkc.bat

Filesize
4B

MD5
b12d7adea565ff297006b9d5ac05e261

SHA1
8f502c9406a7748ccdc3902aa906773671979aa9

SHA256
aa9bd166bfdff4a54ac996bbd765c3181ebb0760e12ef29ba71306c189ee75c5

SHA512
cbc7b6e59de9fa8d76d4e5e945fdcc8f719e5882fc5994bc2caeaaf72780abf3d4967c43a677d88ac42c080d0c4bde002e22bdc684cf833bb2b0b8bd44f4fa25

Download Submit
C:\Users\Admin\AppData\Local\Temp\zIQYYIUw.bat

Filesize
4B

MD5
cc98240e115a334a5b59216bec4bbe12

SHA1
297a0ea317207be4311a2c11234fe7a7585a4e76

SHA256
a17ad37e2ddf24bc34059a5196cad17dd3b0d87352b4111b768be50d18728d9f

SHA512
28871e80bce6d66b8e8e4a68304a1664165981361dabc3012985db6d0644074d3aef361b0526b4598b5bccbc097e44b99e5083dae05ca646abe67728737598cb

Download Submit
C:\Users\Admin\AppData\Roaming\CloseSwitch.jpg.exe

Filesize
563KB

MD5
3889720d8c736ad3dcf891f598a6c8dd

SHA1
a938c168adf0b7e143cd2ce040f2aa78e57e7ce3

SHA256
4c01825c7e4e152c5bdfb486f217ef6f0aee6ba9c92a589c3bb810a9520f5228

SHA512
d854cf6e0a4ef02646c29cdee92742250b1443050546846b5f97ccea86a6e0d1bc19db314fc70116a432bfb50f7f4bdc3546e1385b3bdade2a8b3c4e61289932

Download Submit
C:\Users\Admin\Desktop\SaveUnregister.rar.exe

Filesize
381KB

MD5
7e0e8ec8526f109bbaf0a2b35ed986fa

SHA1
fcf8da6ff131a1c4ed2c4088ad00f19f035888d1

SHA256
df4b9b59a84a24ffda5fde3feebb579a5fdd66bb7f3b65ebf849c42307fb3fb2

SHA512
0ab36136b84bc9529e4f2a26bbdc316f162642ce73b6769b85887bec15db30caad3108df924e944f35016c824ff434fc6620da06535395dd00f9853167cc1308

Download Submit
C:\Users\Admin\Documents\These.docx.exe

Filesize
176KB

MD5
736c4b2a55e8805ac90735b8adfe51eb

SHA1
534a2c8740adf3faf917625b84d76754aa4eef43

SHA256
0b66529b518fead999c3646dccc3a6d1a3e2b6a798883e47cec662c07bffa125

SHA512
7359b8f78663c8fd26538c1ac779f436566ae2a4086b958409074d07e45886accbfedc52015877a1caf4da350768d6e0e1b849dcf4b10fd683afa52d3000e87e

Download Submit
C:\Users\Admin\Pictures\InvokePublish.jpg.exe

Filesize
710KB

MD5
6b1bc697d7baa883ffb9f0b26e54bbcb

SHA1
c0651293193a6dc9bb375a0a9d00059b079ec5de

SHA256
662a5e6541f74cd64ac3b756314f6aede3e598d34d5eb7996b8ca480e506f9f5

SHA512
7a5ea0810b2f131ae82566536658dc16def5b49b1bd3709b8b1a57e37287461fcbfc5cd60eac5274eba540672c7d570ff84edb6949a641732f6d1f6f61c7a7e6

Download Submit
C:\Users\Admin\Pictures\My Wallpaper.jpg.exe

Filesize
383KB

MD5
7ed0ee0c5bd1cdc699c352d2f8e51931

SHA1
8821d9ab2f1fe8469b212aa717d69896849dd993

SHA256
8b6102b5d74dc3321397e2618d3326e22dd8b5ff54bea367fb7eba41e53beedb

SHA512
bb2ae67f8ae73eda2a853af3905124142ad5dcf11995858c98c96ece7f98642074fbe3bf11b36c2cc84df8373225147a7a45161a7b3d016ca5b54bc0f2f200d6

Download Submit
C:\Users\Admin\lQAQYgMM\DUIMQIgc.exe

Filesize
436KB

MD5
4cd5a2e9c3734ae4179bea70efd696ea

SHA1
fdad56553ad356f4acbaba33298319a47714dc22

SHA256
611fc82cddf7db7e73c6b83f27462c2509cea03d7c2424a15b2c255d4c58e03d

SHA512
a5a679ea0bc6c3eb4b8a1d0d84d3c8c83d8e3943047385d309035dbd58e103501bd89f9301ec3d7101f327287cf412e0ae0d1104334b37ffee2cbc6875757e0d

Download Submit
C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg.exe

Filesize
196KB

MD5
c387da68233a2e569da51c75bd9deef1

SHA1
4f1509622b17d828529ee8394670cda6df33252d

SHA256
a75f433d82abc004762a481576a3eeb8f0a2c7de4ee9441e840a22468e25af86

SHA512
1e4cf3d9897761200c47e7b561e195ac568fe09692a9405b85c92dc786c06890ffbc97875153694742907928985e62a8ed28cc41a081d6c3e44c84bc6c1b0153

Download Submit
C:\Users\Public\Pictures\Sample Pictures\Desert.jpg.exe

Filesize
147KB

MD5
42f8eeaaa82bfad3c1be4d9f3102c70c

SHA1
4187f607a0334df47f19cc3bcfe147cc13076b10

SHA256
210b95e206da9ee843a32f86e536d85d8d8d55ec409847e084dc2cc4cacd2e13

SHA512
3c5e459fb94d29f15a990fe5535621224f994a25a32544074a4bdb1e4c5d0124d3aae253a2c96e7730c8de37282efa18f60f9663c9aa354527a1ce6a26cf6dc7

Download Submit
\ProgramData\fmoUEAcU\kqsUkkgA.exe

Filesize
432KB

MD5
81ae1c7f1956ea69e8f57ad56ac8b466

SHA1
5e7ebfe431a19c5b1b4a2b16987a03a6610eee42

SHA256
a967b38a3217cb384a8ef95359a0c1dd109fa107949a8c7f696631c2c93a500d

SHA512
47174e7ffd6bd4741b0a8c4a61a54b81212c5882499d1e1846a7095b51e5b3495b4c87baaeec3eb4e95c1fbffab49a1c2ced85359731d00cd88bb53499981232

Download Submit
memory/268-119-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/268-88-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/812-268-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/812-236-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/928-110-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/928-141-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1056-591-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1056-563-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1072-97-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1072-66-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1160-290-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1160-258-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1592-458-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1592-430-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1716-496-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1716-468-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1776-620-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1856-325-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1856-357-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1884-380-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1884-348-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1964-534-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1964-506-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2036-132-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2036-174-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2136-211-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2136-245-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2160-212-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2160-20-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2336-572-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2336-544-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2476-312-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2476-281-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2496-165-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2496-198-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2540-53-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2540-33-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2580-582-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2580-610-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2660-525-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2660-553-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2728-411-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2728-439-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2760-335-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2760-303-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2816-420-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2816-392-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2876-601-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2880-487-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2880-515-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2916-401-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2916-370-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2936-0-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2936-152-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2948-222-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2948-188-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2968-44-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2968-75-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2992-449-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2992-477-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3044-187-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3044-10-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3068-24-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3068-235-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download