341a3edcc224c0faba1688873dc174b21dec926cf98e69c95ee379155ef70f6f

Analysis

max time kernel
250s
max time network
320s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26-12-2023 12:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e402303456d80df99b5442339851753.exe
Size

484KB
MD5

6e402303456d80df99b5442339851753
SHA1

c304b462bded7e9c622bfdcb5df58a92b49b002d
SHA256

341a3edcc224c0faba1688873dc174b21dec926cf98e69c95ee379155ef70f6f
SHA512

d863dca7ef35cfd5db26135798901ff1fb61a2856ae534f3615746553a212d9461e1ba01504cff5a48c91c12f91ff289a898c6ff0ace4047ea8037cee8e91a1b
SSDEEP

12288:SU3yrwb7pzzRJclyX8DlsFpycim7J3M2iJKl:Tyrwd37cZBXc9F3n

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 28 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 28 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
568	degAcQkE.exe
2772	QcUUcYEQ.exe
1368	zmgQUEko.exe

Loads dropped DLL 10 IoCs

pid	Process
2416	6e402303456d80df99b5442339851753.exe
2416	6e402303456d80df99b5442339851753.exe
2416	6e402303456d80df99b5442339851753.exe
2416	6e402303456d80df99b5442339851753.exe
2772	QcUUcYEQ.exe
2772	QcUUcYEQ.exe
2772	QcUUcYEQ.exe
2772	QcUUcYEQ.exe
2772	QcUUcYEQ.exe
2772	QcUUcYEQ.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\QcUUcYEQ.exe = "C:\\ProgramData\\DUkYsckk\\QcUUcYEQ.exe"	zmgQUEko.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\degAcQkE.exe = "C:\\Users\\Admin\\xssQQQoY\\degAcQkE.exe"	6e402303456d80df99b5442339851753.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\degAcQkE.exe = "C:\\Users\\Admin\\xssQQQoY\\degAcQkE.exe"	degAcQkE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\QcUUcYEQ.exe = "C:\\ProgramData\\DUkYsckk\\QcUUcYEQ.exe"	6e402303456d80df99b5442339851753.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\QcUUcYEQ.exe = "C:\\ProgramData\\DUkYsckk\\QcUUcYEQ.exe"	QcUUcYEQ.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\xssQQQoY	zmgQUEko.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\xssQQQoY\degAcQkE	zmgQUEko.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2652	1564	WerFault.exe	339
2036	920	WerFault.exe	376

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
704	reg.exe
1740	reg.exe
2868	reg.exe
2624	reg.exe
2628	reg.exe
1804	reg.exe
1768	reg.exe
2020	reg.exe
2696	reg.exe
548	reg.exe
2380	reg.exe
2740	reg.exe
2920	reg.exe
1740	reg.exe
2088	reg.exe
2272	reg.exe
1960	reg.exe
2116	reg.exe
1764	reg.exe
2420	reg.exe
2420	reg.exe
2448	reg.exe
1320	reg.exe
2320	reg.exe
2156	reg.exe
2856	reg.exe
2412	reg.exe
2064	reg.exe
1696	reg.exe
2784	reg.exe
2692	reg.exe
2280	reg.exe
1572	reg.exe
2052	reg.exe
2996	reg.exe
1964	reg.exe
2180	reg.exe
1644	reg.exe
2780	reg.exe
2508	reg.exe
2688	reg.exe
2160	reg.exe
1552	reg.exe
884	reg.exe
1800	reg.exe
1552	reg.exe
1640	reg.exe
2268	reg.exe
2304	reg.exe
1568	reg.exe
524	reg.exe
880	reg.exe
2308	reg.exe
1768	reg.exe
1000	reg.exe
792	reg.exe
2472	reg.exe
2212	reg.exe
1920	reg.exe
1804	reg.exe
2556	reg.exe
1724	reg.exe
2136	reg.exe
2984	reg.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
2416	6e402303456d80df99b5442339851753.exe
2416	6e402303456d80df99b5442339851753.exe
3060	6e402303456d80df99b5442339851753.exe
3060	6e402303456d80df99b5442339851753.exe
1096	6e402303456d80df99b5442339851753.exe
1096	6e402303456d80df99b5442339851753.exe
1944	6e402303456d80df99b5442339851753.exe
1944	6e402303456d80df99b5442339851753.exe
1652	6e402303456d80df99b5442339851753.exe
1652	6e402303456d80df99b5442339851753.exe
1704	6e402303456d80df99b5442339851753.exe
1704	6e402303456d80df99b5442339851753.exe
1536	6e402303456d80df99b5442339851753.exe
1536	6e402303456d80df99b5442339851753.exe
992	6e402303456d80df99b5442339851753.exe
992	6e402303456d80df99b5442339851753.exe
2432	6e402303456d80df99b5442339851753.exe
2432	6e402303456d80df99b5442339851753.exe
2036	6e402303456d80df99b5442339851753.exe
2036	6e402303456d80df99b5442339851753.exe
2852	6e402303456d80df99b5442339851753.exe
2852	6e402303456d80df99b5442339851753.exe
1596	6e402303456d80df99b5442339851753.exe
1596	6e402303456d80df99b5442339851753.exe
896	6e402303456d80df99b5442339851753.exe
896	6e402303456d80df99b5442339851753.exe
2528	6e402303456d80df99b5442339851753.exe
2528	6e402303456d80df99b5442339851753.exe
2932	6e402303456d80df99b5442339851753.exe
2932	6e402303456d80df99b5442339851753.exe
436	6e402303456d80df99b5442339851753.exe
436	6e402303456d80df99b5442339851753.exe
840	6e402303456d80df99b5442339851753.exe
840	6e402303456d80df99b5442339851753.exe
2164	6e402303456d80df99b5442339851753.exe
2164	6e402303456d80df99b5442339851753.exe
1360	6e402303456d80df99b5442339851753.exe
1360	6e402303456d80df99b5442339851753.exe
1264	6e402303456d80df99b5442339851753.exe
1264	6e402303456d80df99b5442339851753.exe
2880	6e402303456d80df99b5442339851753.exe
2880	6e402303456d80df99b5442339851753.exe
704	6e402303456d80df99b5442339851753.exe
704	6e402303456d80df99b5442339851753.exe
2152	6e402303456d80df99b5442339851753.exe
2152	6e402303456d80df99b5442339851753.exe
3068	6e402303456d80df99b5442339851753.exe
3068	6e402303456d80df99b5442339851753.exe
3068	6e402303456d80df99b5442339851753.exe
3068	6e402303456d80df99b5442339851753.exe
1900	6e402303456d80df99b5442339851753.exe
1900	6e402303456d80df99b5442339851753.exe
1900	6e402303456d80df99b5442339851753.exe
1900	6e402303456d80df99b5442339851753.exe
2708	6e402303456d80df99b5442339851753.exe
2708	6e402303456d80df99b5442339851753.exe
1980	6e402303456d80df99b5442339851753.exe
1980	6e402303456d80df99b5442339851753.exe
1708	6e402303456d80df99b5442339851753.exe
1708	6e402303456d80df99b5442339851753.exe
1908	6e402303456d80df99b5442339851753.exe
1908	6e402303456d80df99b5442339851753.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 568	2416	6e402303456d80df99b5442339851753.exe	27
PID 2416 wrote to memory of 568	2416	6e402303456d80df99b5442339851753.exe	27
PID 2416 wrote to memory of 568	2416	6e402303456d80df99b5442339851753.exe	27
PID 2416 wrote to memory of 568	2416	6e402303456d80df99b5442339851753.exe	27
PID 2416 wrote to memory of 2772	2416	6e402303456d80df99b5442339851753.exe	28
PID 2416 wrote to memory of 2772	2416	6e402303456d80df99b5442339851753.exe	28
PID 2416 wrote to memory of 2772	2416	6e402303456d80df99b5442339851753.exe	28
PID 2416 wrote to memory of 2772	2416	6e402303456d80df99b5442339851753.exe	28
PID 2416 wrote to memory of 1244	2416	6e402303456d80df99b5442339851753.exe	30
PID 2416 wrote to memory of 1244	2416	6e402303456d80df99b5442339851753.exe	30
PID 2416 wrote to memory of 1244	2416	6e402303456d80df99b5442339851753.exe	30
PID 2416 wrote to memory of 1244	2416	6e402303456d80df99b5442339851753.exe	30
PID 1244 wrote to memory of 3060	1244	cmd.exe	38
PID 1244 wrote to memory of 3060	1244	cmd.exe	38
PID 1244 wrote to memory of 3060	1244	cmd.exe	38
PID 1244 wrote to memory of 3060	1244	cmd.exe	38
PID 2416 wrote to memory of 548	2416	6e402303456d80df99b5442339851753.exe	37
PID 2416 wrote to memory of 548	2416	6e402303456d80df99b5442339851753.exe	37
PID 2416 wrote to memory of 548	2416	6e402303456d80df99b5442339851753.exe	37
PID 2416 wrote to memory of 548	2416	6e402303456d80df99b5442339851753.exe	37
PID 2416 wrote to memory of 792	2416	6e402303456d80df99b5442339851753.exe	36
PID 2416 wrote to memory of 792	2416	6e402303456d80df99b5442339851753.exe	36
PID 2416 wrote to memory of 792	2416	6e402303456d80df99b5442339851753.exe	36
PID 2416 wrote to memory of 792	2416	6e402303456d80df99b5442339851753.exe	36
PID 2416 wrote to memory of 1696	2416	6e402303456d80df99b5442339851753.exe	32
PID 2416 wrote to memory of 1696	2416	6e402303456d80df99b5442339851753.exe	32
PID 2416 wrote to memory of 1696	2416	6e402303456d80df99b5442339851753.exe	32
PID 2416 wrote to memory of 1696	2416	6e402303456d80df99b5442339851753.exe	32
PID 3060 wrote to memory of 1768	3060	6e402303456d80df99b5442339851753.exe	39
PID 3060 wrote to memory of 1768	3060	6e402303456d80df99b5442339851753.exe	39
PID 3060 wrote to memory of 1768	3060	6e402303456d80df99b5442339851753.exe	39
PID 3060 wrote to memory of 1768	3060	6e402303456d80df99b5442339851753.exe	39
PID 1768 wrote to memory of 1096	1768	cmd.exe	41
PID 1768 wrote to memory of 1096	1768	cmd.exe	41
PID 1768 wrote to memory of 1096	1768	cmd.exe	41
PID 1768 wrote to memory of 1096	1768	cmd.exe	41
PID 3060 wrote to memory of 2056	3060	6e402303456d80df99b5442339851753.exe	47
PID 3060 wrote to memory of 2056	3060	6e402303456d80df99b5442339851753.exe	47
PID 3060 wrote to memory of 2056	3060	6e402303456d80df99b5442339851753.exe	47
PID 3060 wrote to memory of 2056	3060	6e402303456d80df99b5442339851753.exe	47
PID 3060 wrote to memory of 884	3060	6e402303456d80df99b5442339851753.exe	46
PID 3060 wrote to memory of 884	3060	6e402303456d80df99b5442339851753.exe	46
PID 3060 wrote to memory of 884	3060	6e402303456d80df99b5442339851753.exe	46
PID 3060 wrote to memory of 884	3060	6e402303456d80df99b5442339851753.exe	46
PID 3060 wrote to memory of 880	3060	6e402303456d80df99b5442339851753.exe	45
PID 3060 wrote to memory of 880	3060	6e402303456d80df99b5442339851753.exe	45
PID 3060 wrote to memory of 880	3060	6e402303456d80df99b5442339851753.exe	45
PID 3060 wrote to memory of 880	3060	6e402303456d80df99b5442339851753.exe	45
PID 1096 wrote to memory of 2676	1096	6e402303456d80df99b5442339851753.exe	48
PID 1096 wrote to memory of 2676	1096	6e402303456d80df99b5442339851753.exe	48
PID 1096 wrote to memory of 2676	1096	6e402303456d80df99b5442339851753.exe	48
PID 1096 wrote to memory of 2676	1096	6e402303456d80df99b5442339851753.exe	48
PID 1096 wrote to memory of 1964	1096	6e402303456d80df99b5442339851753.exe	50
PID 1096 wrote to memory of 1964	1096	6e402303456d80df99b5442339851753.exe	50
PID 1096 wrote to memory of 1964	1096	6e402303456d80df99b5442339851753.exe	50
PID 1096 wrote to memory of 1964	1096	6e402303456d80df99b5442339851753.exe	50
PID 2676 wrote to memory of 1944	2676	cmd.exe	51
PID 2676 wrote to memory of 1944	2676	cmd.exe	51
PID 2676 wrote to memory of 1944	2676	cmd.exe	51
PID 2676 wrote to memory of 1944	2676	cmd.exe	51
PID 1096 wrote to memory of 2556	1096	6e402303456d80df99b5442339851753.exe	55
PID 1096 wrote to memory of 2556	1096	6e402303456d80df99b5442339851753.exe	55
PID 1096 wrote to memory of 2556	1096	6e402303456d80df99b5442339851753.exe	55
PID 1096 wrote to memory of 2556	1096	6e402303456d80df99b5442339851753.exe	55

C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
"C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Users\Admin\xssQQQoY\degAcQkE.exe
  "C:\Users\Admin\xssQQQoY\degAcQkE.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:568
- C:\ProgramData\DUkYsckk\QcUUcYEQ.exe
  "C:\ProgramData\DUkYsckk\QcUUcYEQ.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  PID:2772
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1244
- - C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
    C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3060
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1768
    - - C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
        
        C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1096
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
        
        C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
        8⤵
        
        PID:800
        
        C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
        
        C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
        10⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
        
        C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
        12⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
        
        C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        Modifies registry key
        
        PID:2472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        Modifies registry key
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
        14⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
        
        C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
        16⤵
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
        
        C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
        18⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
        
        C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
        20⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
        
        C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
        22⤵
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
        
        C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
        24⤵
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
        
        C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
        26⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
        
        C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
        28⤵
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
        
        C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
        30⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
        
        C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:436
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
        32⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
        
        C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
        33⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
        34⤵
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
        
        C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
        35⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
        36⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
        
        C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
        37⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1360
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
        38⤵
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
        
        C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
        39⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1264
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
        40⤵
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
        
        C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
        41⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
        42⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
        
        C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
        43⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
        44⤵
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
        
        C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
        45⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
        46⤵
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
        
        C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
        47⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
        48⤵
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
        
        C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
        49⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
        50⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
        
        C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
        51⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
        52⤵
        
        PID:928
        
        C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
        
        C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
        53⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
        54⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
        
        C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
        55⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
        56⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
        
        C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
        57⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753"
        58⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe
        
        C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753
        59⤵
        
        PID:2128
        
        C:\Users\Admin\pCMUoMQc\DkMIocAE.exe
        
        "C:\Users\Admin\pCMUoMQc\DkMIocAE.exe"
        60⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 88
        61⤵
        Program crash
        
        PID:2652
        
        C:\ProgramData\dWsoMoUI\hkgEkEEU.exe
        
        "C:\ProgramData\dWsoMoUI\hkgEkEEU.exe"
        60⤵
        
        PID:920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 88
        61⤵
        Program crash
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies registry key
        
        PID:2696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZqIwgocg.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
        58⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        Modifies registry key
        
        PID:1764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pCcEsIsU.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
        56⤵
        
        PID:456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        Modifies registry key
        
        PID:2064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KsQoYAMc.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
        54⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        Modifies registry key
        
        PID:2996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        Modifies registry key
        
        PID:2412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HaUkYUEM.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
        52⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        Modifies registry key
        
        PID:1768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        Modifies registry key
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rukMocwk.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
        50⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        Modifies registry key
        
        PID:2556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        Modifies registry key
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SOskAgkk.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
        48⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        Modifies registry key
        
        PID:2628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        Modifies registry key
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\piUUYwQQ.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
        46⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        Modifies registry key
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        Modifies registry key
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WAscMkoc.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
        44⤵
        
        PID:676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        Modifies registry key
        
        PID:2156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KcooogUw.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
        42⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        Modifies registry key
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        Modifies registry key
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fkokIEMA.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
        40⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        Modifies registry key
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XMAgkgYE.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
        38⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        
        PID:572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        Modifies registry key
        
        PID:1568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PGsQQwEg.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
        36⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        Modifies registry key
        
        PID:1740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        Modifies registry key
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hwMAYkUg.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
        34⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DQgssAcI.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
        32⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        Modifies registry key
        
        PID:704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vgYAMcsQ.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
        30⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        Modifies registry key
        
        PID:2920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        Modifies registry key
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WQwMAYIw.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
        28⤵
        
        PID:924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        Modifies registry key
        
        PID:2780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        Modifies registry key
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uKcIYQoM.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
        26⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        Modifies registry key
        
        PID:1768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        Modifies registry key
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1320
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jicUkUYE.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
        24⤵
        
        PID:916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        Modifies registry key
        
        PID:2984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:2216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OOEIIMYI.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
        22⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        Modifies registry key
        
        PID:2740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        Modifies registry key
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\UYcEcwAg.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
        20⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:2380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        Modifies registry key
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lMkUQYkg.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
        18⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        Modifies registry key
        
        PID:2088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        Modifies registry key
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hMQAYYUs.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
        16⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EEwAAgUE.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
        14⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        Modifies registry key
        
        PID:2180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        Modifies registry key
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NUIwAUgw.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
        12⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:1056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QQYIYkkg.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
        10⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:2600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        Modifies registry key
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PCsAAYYI.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
        8⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:1000
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1964
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:2788
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:2556
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wkYEAwwE.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
        6⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:296
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:880
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:884
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:2056
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\IKQwccIA.bat" "C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753.exe""
      4⤵
      PID:3020
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1412
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:1696
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:792
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:548

C:\ProgramData\uAAsQgEI\zmgQUEko.exe
C:\ProgramData\uAAsQgEI\zmgQUEko.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1368

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1592

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2672

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2856

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:916

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.5MB

MD5
529bc3472a99313e54b75078894986bf

SHA1
e40e7593547fe71aa163f24d80d9392940729791

SHA256
9090fedba3cce5a2aa14fd6d7e0bfd41317e33f381396639a90a39afc39edc17

SHA512
d45c620c8802e0a85502c536f03d10179bf3c4528ee8a6180c521a29b9b973f1874cdfbdce9d61a1139431532481c5e3e9b988fc85fd794f563695b0f69fa703

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.exe

Filesize
1.2MB

MD5
fe1c62d20d6fdc57e23841c94d7234e1

SHA1
3d4b5854dc1a77aa18452cc1ac2c59090df1afbc

SHA256
e4805ee6455067f765a574f0d3ae852c827ffe6b7764ac0bf194b9ae71b45193

SHA512
b613e5a5bc0f0430439d669cbead609a4be5d38deb82277e5cd85450a09271beeac10a236c407c099ab942fd4a30f8df5eabe3dbab78618f2124f34e41e6b378

Download Submit
C:\ProgramData\uAAsQgEI\zmgQUEko.exe

Filesize
435KB

MD5
bfc9e35f521667f9c42a3b00afc9f4c6

SHA1
98fcac80b3ab1e4944025d573eedb9bceb8fa2b3

SHA256
fc0eee66a861b6ec5be305603c438fc01ca22fa4172adefbb7fcebd66aca98d2

SHA512
d0d53ce7d3c3c3b1b4f2b4782e32f08dbed34548b9147c504c6976466728402cff33143190f3dee34b41fd2873beafc48420009c8a975fe5ba8901be3fa23b45

Download Submit
C:\Users\Admin\AppData\Local\Temp\6e402303456d80df99b5442339851753

Filesize
48KB

MD5
8069e690a23c6c533e7209fc672f9b23

SHA1
7c4c896dd84d8cf02eac5f74282a18323a0304e3

SHA256
e7e85353e559a647deb852fe76bcfeb7e0bac16c43ea107f523ca158e36159e0

SHA512
6f37198327e617aef5c0a41bf4e4098ef827aa520d98802ab93653bcbdce0646b370104ffc8feb25fece2593762d9bf6943dd6459f97e1356e602a680759044a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQQgwAcg.bat

Filesize
4B

MD5
19d0243a53602a8a483a88e7bcc1836b

SHA1
09201236d64346cd18fb71b749a01176c2a51eff

SHA256
be3a6066392a43ea354ed1fd1c68235baac155f7f9f036c633e53af723bec023

SHA512
44d0745946fa6be230a1ed15002c8c19e31cffa63d1aca7e12b345cb59d8828bbf00ec97091007b85cfe1ff52e5a8d0963f07c6203fc7233f7eb89bbac1bf4c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYwe.exe

Filesize
474KB

MD5
ce4c65f51130141325b680d2b527a622

SHA1
7d3e3f075b0bdff0b319a0cc903ea4d833024852

SHA256
2808145d5ac46a159f7dac11c19a2dea5ca531eb8f523c4b0a84639de160d718

SHA512
2738e0b0455f1beaacf0fd5b73c90efafe3db3525d70b9cf6a04b3ae19ddd75b207ec8fa8ac1afdb9ae38cfd30843203de2b91d28616656468076800fc84b20f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GMEocAAs.bat

Filesize
4B

MD5
904cd18e68125da769a5f5b685fccdc5

SHA1
4d83c54ba0d78d6d78c82c72cdb2b22fe95cf7cf

SHA256
ae8367c855fc6bbaadb64e52e9c5e3221d5fec7a6724bbe1d75bf861ad599d18

SHA512
de9b7b35d7a3eca6dd828b777fd1f46dc9bc0f2b5aaf9986b71df175d5b5048a5b8c71dd4a127441a3c8c3ef07d415e6ef6ed51de1491ccade15c922af87b324

Download Submit
C:\Users\Admin\AppData\Local\Temp\IWwMwggY.bat

Filesize
4B

MD5
9cd1a8c1fb90d1479297354e177f873e

SHA1
a2bcb4324e159f6d2a99cb7784e7a8a741021f0c

SHA256
37fd6b0ee7467fb15b322b85dcd6f5e0f3684e91552784cf164d70c78776b374

SHA512
03ecbe46502efcbb38195278308cea9c7db11d75169777cdc81fec08229a44a58f4c9c1eaf356e081b10bcf065b0f7a6456d3c659950408b01d4a02fa36982b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\JgcQAQAo.bat

Filesize
4B

MD5
ecbbce25083f59f56f57bd86176b77a2

SHA1
cb0eba1342f765bd0e578b8af88aa529100bc260

SHA256
e3034b9e6874de74037756d499b0d74ef54b50ea4c53ac5ea98e240f8f3e7ab9

SHA512
cad2b2604a6674898b74fdc3ba778e884ead703423bceae8b190dd4e3420cdea068c11cb7a29a04c77fd233c25e4fddf0877064a41c55cb802ec724078663d67

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUAosEEs.bat

Filesize
4B

MD5
71de2dea26008bb7b44878c4887c4c2c

SHA1
34f875be30fff36f0ac827c7c614ed8eb5288182

SHA256
a71a81c094448d9369cf2953a830d64a61e9aae1ef4f2bf3a1befc40139d06bf

SHA512
f81353f67fe4157130f330242b1975cf9eac5617293a43cca8673353647b65a0e58d26b005918405627d90f3c16e447a772a19838fe997bb29eab50022ea3785

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUsMcoII.bat

Filesize
4B

MD5
f7626621ba6b864d79f019c5c223d8e9

SHA1
f45ea674bff71d655c11f594859c6ca4448fe383

SHA256
3af223b596cdf3e5367c6dd80e9215b201698194e59d9b9562c6d216204c3a5c

SHA512
ac9a5dea4db672f7841b6bd458aa1bf81890a292b420a6df566a6cfbee5d8f6d8e6028d4229efeff4bbf8fe5b6406aba1cb6f7d7ab239d638dedd50d14ddcc47

Download Submit
C:\Users\Admin\AppData\Local\Temp\LQMm.exe

Filesize
559KB

MD5
0a798bd61a3143105126c6b398fb5fe2

SHA1
77c6d739420732b1d2688a958f4cb096ed3537df

SHA256
a2b52107ecd01b0a786288fbcd3b7358194b0d46cd676a173e6eea7d20b55b39

SHA512
e0f381d50ba1b494df9baf2ccb4db7a16f27beeb2e4618ae7cea31637523763b6f0f2d7d5aa3f8cf3131ecec6adfea6f74f9dc06b9bbcce4b0368518b5f85574

Download Submit
C:\Users\Admin\AppData\Local\Temp\MoMQskQo.bat

Filesize
4B

MD5
3e45382dbaa84967d86dd227db911210

SHA1
f7bf43fabe695cd60d2a20eddc92f785f30341f2

SHA256
916dd612b3eb7467135a204963570cdd91654b4d8ab8165c3ed327a761de2fc4

SHA512
15bd5f9c6e5dcb49074de878c4f702e60572603815afc86d36452663557945723fef2a74a9baf268c402943fc09b6128f26aa6f626b42c0a10ff53afb1f59a83

Download Submit
C:\Users\Admin\AppData\Local\Temp\NGEMsoIw.bat

Filesize
4B

MD5
7e8905ba06f433ab4eea195550376cd4

SHA1
1bde7a4048d0d30b691c9426fbc1c1057f0929ab

SHA256
8e101efa40d9d8697441a74b8fec6c88851fa6fa54265639f57bc477eff1de90

SHA512
bc7f0e4ba452d692c935cfca4b736f84183953b7795742427eaa358d1997650c479a6011498ef7fe963c5709225f277637916c5685ecd17b51a2273401186511

Download Submit
C:\Users\Admin\AppData\Local\Temp\NUIwAUgw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\PSUksIQk.bat

Filesize
4B

MD5
2b0f5531209101714c9968c18714219b

SHA1
36a204e144f7327caf99ce1ab794d4d3e1e9cc14

SHA256
19332e740175581415e62e490fa49ae39c29b110dce7e6a21c95719d5273528a

SHA512
b83a488bc58e60051e8f792f5fc432f389de6b5c2f5d1be59e695194388cb364d555747382c2aecfe730c264250c6e8c0360cb5a1fc45b88257769020b9110d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\QAcm.exe

Filesize
473KB

MD5
28306afe5cea326ab779e3b6db7cf7ec

SHA1
279b94436f4af1c1893dbe6777c68db851966d35

SHA256
92249c8a3ea5b9fff24c1d492be69e4fc21ceddca3e6378405069b4499e337f1

SHA512
e37fc23bc728ad30955c239b0a480631261763cb6cd9e609fd466fc0b10fb8bd18881e8f8b370bf74bf8e62dc1efdb69f79fe0df280d0a5f66517b61b88a6d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\SqAUcoAQ.bat

Filesize
4B

MD5
4473f9191d1a2a39967185c4c3e7e73b

SHA1
7cfa0ceb6bb72e9e53200b2ae3f80806285fd0ec

SHA256
a888890bc3033f44d0e32531aa5a75811050f18c68e9d36245134c4170e12c63

SHA512
b154a265a44c6c2d539064b297995eaf43cede7010e555a4c884ee3e81754c93a674d7cb86f6a39f22f211493979f8f9e88231436ffce3addfae9c7a3d8c9ef6

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMwcggkI.bat

Filesize
4B

MD5
278a9cfb77499eb9a6809fe8584e63ba

SHA1
e35182f26c8d36f54e915ccda27cde8794e3cae8

SHA256
e53b738c4d1c02199bcabe28b09b080a8d359e3fbeacc201b04260c10e99903d

SHA512
9d59e3b4aa1c54e2918eb30100808ea985b9c28c538cf1786bcb942ae125c712743dbbd26f68819e2f0f685f4fac9f354d2f5e229815180e8d44fdba939988bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAIc.exe

Filesize
463KB

MD5
03fa91af4742519c902506331aaee9eb

SHA1
e6461b4c4f874a85c2d70ce321119937d72faf88

SHA256
936d9e0a6c52525e0ebb872f65fe62b57af744d73bef96b0ac9c1a585832a0c6

SHA512
ed543eef39e5a7a5f12187cd07d92b819519df9b64d272d396d8e44316e04aca478920d5844b72717a17d0c6f67db8043c6005a8e8b31b3c3a68938ad3282394

Download Submit
C:\Users\Admin\AppData\Local\Temp\UYEs.exe

Filesize
461KB

MD5
183e18eee80658c5523afb13b2a91171

SHA1
5335a92333633545e3ea6efba74ccb389969f2f3

SHA256
1757f84815b3a42431e401051def92d2d0e4c86909211d8822fd1fbeff6ad41f

SHA512
666a40960f1a7727627921a010f2a1664d6070789187e83f85958a1555c5dc20ffa76e03211d947f6f8f7c7911673b3557c18e09a064cd818caf0c1767734766

Download Submit
C:\Users\Admin\AppData\Local\Temp\VKYYgEAM.bat

Filesize
4B

MD5
e39b1d17b7bc370697f6c86cacf0e31b

SHA1
c994da83794c86681ffde3c4cccc285305139c53

SHA256
859641a98c81c872a55e7ba635147c8813d2470261993342baff95cc6c27dc46

SHA512
4060af3b3632b0d9751191281ee059205ea8da51e80820b30e707d9072c8f2b1874c72931ae075df585b66ed8641b274700beac29655f34e957ca20fa6b28ae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZQIYwwEg.bat

Filesize
4B

MD5
54307de6582a78f5509029d0500d96e3

SHA1
f3674a86777a4281c32fdec31c906b0fb1f9c6bc

SHA256
fa81c53c9f421045f11d1d1958353149c5ec680814c04a6bd2847aa339f2fb17

SHA512
3663d5bdf75d465fff454a26a9a8cfc026ae649f889c12866d03988e8b2a08270ea415d0a9eb03d255bc28523b57fe67be58516bf8984ac0f8579d21283b54e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZioYEUkg.bat

Filesize
4B

MD5
32ac01e2991107205f19c3593f79ac87

SHA1
ca228dd7b5573469a99f20004a8e610db806d082

SHA256
522651fb023afed37194f5e0316f721775a38e9846a5c53f4f64db5f03cc49f3

SHA512
c2040b50e7e3949ef915f52e5bf849055bc2b095dab8719b0fd22f534c6d5c9e4f47c470bcdd60873c5840d77b5ab20de37b50a99bf9ff7227cc01f9a910a33f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZkEMgAog.bat

Filesize
4B

MD5
5183b40802ffe76d8be6ebe9ca6863f4

SHA1
111fbb4b56aabc77b6fe880652ab67698d3564c9

SHA256
c19a3300099ed8f6e7fb59327ddcdf22212af966aec2df923525fadebe673bd8

SHA512
e92868bccf229c593f4ae510774edcf8c789773c65024c0ff27eba62c1cf6c656aca7e946bc8a0ba708b16383c277f03d9c346d8bb305e96142061a7f1abba7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\aWkQUMUA.bat

Filesize
4B

MD5
270884214df214913ef28d1c6968f776

SHA1
8f1d3751a29d6bea8269c850ae1be22c31f52e1e

SHA256
32996f6267b9bf19c4d6844990ee5022e403311bff57a81f6f37edc713489d43

SHA512
d46d51ca40a69019d48c45728aee2a18f074c9fdb45bd8157e01d21ec53a1c6a89830d730fa05ed458a7d2263de262356ed370e47ab1f831d0b1a2e32edece6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAgE.exe

Filesize
561KB

MD5
096916541f3ab0777a810f1f8d4e48e9

SHA1
1bacab040b4a159b1d7608264b51d398dd54d8d0

SHA256
5e2d0d37cb55f04a4abf3272de4e827e14e2bc88362beccaf6f3c457990679bb

SHA512
412d417286ebfa2608944f16a0262bbc4c64ed0816077b6236f61bc4fbf9eec81d570a3295404046190d2f9a3c6491a89a2f03772b94bbcfb4eca8f37c71b478

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIgsAAIQ.bat

Filesize
4B

MD5
451b77a9ac05edbe8fb8264d31972b39

SHA1
b82b2231fa2cf06ce3c6c7493c0fb6975a7b3249

SHA256
1a2d1bd6814e95e5f00c691c6c5807023f7e72f8125a40911ed181fad0bfd3c9

SHA512
069452ad15076935c22e954338b7d1b034f576624c1f9bd4b69db63c8414a3da842640f0d1713e8ccafb59630aed31d93db3e465d52dd9e639de318aced6ba18

Download Submit
C:\Users\Admin\AppData\Local\Temp\cOEoEwYQ.bat

Filesize
4B

MD5
9d3beeb89a8d4d6379cfaddf63a23219

SHA1
b2ee048baa3e3342264d5749b98a46944aecad76

SHA256
3f651f60e34effd143a0fdc1f612b8c1b5dca34016260d42d72d201fce05c63b

SHA512
3f9754bddc0ed20d29de77bd73c59e5432cafb8277c8d3e5807b06be3846852a111f8348b287c582331f4d9c244f1940f1f022ad8b45a5a9f960f0b06847e54c

Download Submit
C:\Users\Admin\AppData\Local\Temp\dAsowYws.bat

Filesize
4B

MD5
3cf450e5e1f9397d7a50e41099efeca9

SHA1
8cda544eac0a24e12914ea9bc3b23e14f689395e

SHA256
d8af927662454132c22591b1af1bff26ac1835a1ddbf37fcfebd8f5685ea85c8

SHA512
cc52e3905f7867ca64617dd7818b035bbeee98595ef2c523dd4b3a2d6852e75c330930b1d5358b0d015cd766e1e9fc2da9da88f2f74c6ff56ca617aee60c6ab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\eSskIwEk.bat

Filesize
4B

MD5
9c4ac4e90af276f9a1da48ababae205d

SHA1
c70cfd4d8409c8cdac499ac5c1580340744a79bb

SHA256
660cd826d01abee443301873689efe8c2d1f05e8707d430b2a22b9cd9a5fcb23

SHA512
d49257510fb585b2d7932e1c305c6a0bdd60afb931fc1b8b85841ebba310ef1cfdaad02445823694f612d4b67cdf66dec62efdaf360c5af8fd41d3e2444d5a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\eUwK.exe

Filesize
481KB

MD5
6a806d5bdb62fc1e2faa7e2cefb30232

SHA1
8ec0b890329479d263f14fb38155f92a1c4d1662

SHA256
bed6a4496b108dddee34f13cc83faf917a5a712b65901d064f313a65f89fbfd6

SHA512
c5ee2ae8ab39ed74f56217263e086a04e447964548fb3ff8e0710db19693eb84af223795de71bbc812241b4c1881617ac035e22f2f0fd0c589583fb4ec6c3d7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\eaEcYoEY.bat

Filesize
4B

MD5
f46d1cf69d9adc9b84237bec67aeeefa

SHA1
de34c379461d3c0e511e6245ed226896c753a604

SHA256
d91a6ae30b143947471d4b73f0aba5d9b62c5a28e4c89c2f4b9c9eb388ccb09d

SHA512
79452b5b469da05ab6ad6635e1ecbd7748e5dd9b5e530e2b7ce4f6bbc7b8b42b049d38352be5eed8735bb39cc25e3cc2626ee8f58354b57ba670ba169621bed6

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikkAoEsw.bat

Filesize
4B

MD5
60909d8d6aea8cd5e8ab1c7ee95a5869

SHA1
8cb7dcad53361ab0f0aef05faaffc337851fd70d

SHA256
b0a674d778b07bdea3fa909a4f61d6f184e7b09fafb18eae2cf5f5339dbda72c

SHA512
ee654995b648a9d561fcbe1380aa94429b0369599a799518b533148f8a7422ff1f461ab41d75049c5dad3cbecc0eb4ec0dac75331447060671cffa123f4e1378

Download Submit
C:\Users\Admin\AppData\Local\Temp\kOwocMwI.bat

Filesize
4B

MD5
82f9b1eb2597e774b2f821797309d369

SHA1
e8cd7a167f77076694fc84d1a65ffa7b0616f5e2

SHA256
345a07a0dc47b93975da0c23fdc4bd91c2a9657e1a16e4f9727c5adb89abe48b

SHA512
6f0d966b2dab5857040c3ddbc0bce0f123333ea95c9f42eb380ef490229bcb408276e0c69bc4199a7ae9dae522807e39c783bbd06068b72e3e808610915c7100

Download Submit
C:\Users\Admin\AppData\Local\Temp\kewYQEIE.bat

Filesize
4B

MD5
0033931edbf89aa1b8add066b0da81af

SHA1
c02e669a340b8ce93a5055a0fae92b88f0616ac6

SHA256
d0b31cabd1c1f515dc1f8a0264903412a4cd24c17b7007e3e640fa8a19c85066

SHA512
face91584c9f8313cc6b4be00f3b92677880a1f07ac5d7c14896fb5f182f3d04a0c6ac07bfd6c5072f4c0ccf89138646ba1d12013dd28ca8e79269d551bdd8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\mCkYokwA.bat

Filesize
4B

MD5
4339b01f0c52dd29ccdd047bd3b0a92a

SHA1
a1a69e5539838a43a7be6e9f30a23aea53338aee

SHA256
54c235f1ec094bcd80ba39cd8e99e63e4b9f4d53ec2ec74454dc5e4e0cfd25e2

SHA512
68c004da15b89d3f336e9bdc0250a9ef06a5272bea882279a44c6270cfd1316a4afa7b23230070fc1eec1cff160193d147586a9fe9d1292caeb26ed3582d6ac1

Download Submit
C:\Users\Admin\AppData\Local\Temp\mqssQocU.bat

Filesize
4B

MD5
276f86b0e090aa4fa1905c70ae8aec73

SHA1
6d0a0f4d132c79f0391516e219d79516905c997c

SHA256
1c060d66b067a091017d09e4a99613f16e7d1a2e8afeab8fe9e740ce6a2a3258

SHA512
78a759f1883d1fd3c45c8304054c692b7cbccec62cff37dc7ee5760535f7d83148d2902612888ec6798d11a9712a05c858a5437bc344355d0a9f4e63416bf99b

Download Submit
C:\Users\Admin\AppData\Local\Temp\qyQIsYws.bat

Filesize
4B

MD5
76d9ce6e36650487954157b1975cb638

SHA1
5b68817ed950fff7e37d02c567a98ee04691b239

SHA256
94fb62a7041af9b8759a37445efbd8ec682825c5a441be6e64da281b8c6f3b68

SHA512
2f8c975abee305297abba674c240a68f5e9a34549c8fad7d702f40b13782ec50e494541d0b08086e11a8005fdb626fd8da5abb42b2c1bc8db4da94829ef7781d

Download Submit
C:\Users\Admin\AppData\Local\Temp\sAoYAYcY.bat

Filesize
4B

MD5
0bcd37001217a7612e942282b3219481

SHA1
46c97f6b4acf1198d413daac4133e0522c94ed3e

SHA256
494763e3b2237580a1fa4f733f1e99e48c48a6ef6c31f2924295e380eda5dd1b

SHA512
77935fc37b0cd9ac5b280795d5439adf3fbcc26288abdb6566fc752021e4ace98a20abda547af30816b692c4b689dca30d0b1d89e5856e7f46721a5ab238e92b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vUgoUQUg.bat

Filesize
4B

MD5
e4562de84dc5cf51affb4aa6309382ba

SHA1
50a8fcae6f4f85bb738a98b3a19734abe05a5c13

SHA256
91479e44e16f1ca0539e761afca7f4614869e6444b3bd397794deda0ca391912

SHA512
33a17d885f36c00df629d4b5440fd2893f880a6f2e26f6e01a48f94b2602c00ecfa64fc276310279e9e4554448ab4db2bf48d7ba4e30599b7f94c69b038d2e70

Download Submit
C:\Users\Admin\AppData\Local\Temp\zqAs.ico

Filesize
4KB

MD5
47a169535b738bd50344df196735e258

SHA1
23b4c8041b83f0374554191d543fdce6890f4723

SHA256
ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf

SHA512
ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.0MB

MD5
4d92f518527353c0db88a70fddcfd390

SHA1
c4baffc19e7d1f0e0ebf73bab86a491c1d152f98

SHA256
97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c

SHA512
05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

Download Submit
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
818KB

MD5
a41e524f8d45f0074fd07805ff0c9b12

SHA1
948deacf95a60c3fdf17e0e4db1931a6f3fc5d38

SHA256
082329648337e5ba7377fed9d8a178809f37eecb8d795b93cca4ec07d8640ff7

SHA512
91bf4be7e82536a85a840dbc9f3ce7b7927d1cedf6391aac93989abae210620433e685b86a12d133a72369a4f8a665c46ac7fc9e8a806e2872d8b1514cbb305f

Download Submit
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
507KB

MD5
c87e561258f2f8650cef999bf643a731

SHA1
2c64b901284908e8ed59cf9c912f17d45b05e0af

SHA256
a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b

SHA512
dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

Download Submit
\ProgramData\DUkYsckk\QcUUcYEQ.exe

Filesize
433KB

MD5
46b468ff484b5a5ec73efc69a3fe1068

SHA1
4d27d5771650e860316640a8e0f1d4ba03ff20fe

SHA256
f1cd736bbd5024c6e4a6e6cae4e83343ae6fced788177f9e008a19c2aa2a7c41

SHA512
2e3d6ef708f90d26650b3a7d456fed726284348a9dcb2d4c88ee7bb1690cd88de1527185cbcca695cc6beac7453d91491641a89a14cbebe5bcd39ef4644f9826

Download Submit
\Users\Admin\xssQQQoY\degAcQkE.exe

Filesize
432KB

MD5
83519493583db36bb5141a71bf5c5d91

SHA1
1c7ef50db9a22927362d2d9bda5cd0afdaec59a8

SHA256
13b2c93ca2f1144fc33af72f496ab880f5fbb902982e2ec4ade1822c7f9e2c1c

SHA512
26a2568940592a43d02b913d0b0752b1f15fec23d0f503b17292651195db291ffd03c8e73d25a5daa914ed1551e2bbe08c2017b2633af037074b763694d90496

Download Submit
memory/436-584-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/436-384-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/436-514-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/568-40-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/568-10-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/704-464-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/704-629-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/840-395-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/840-523-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/896-489-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/896-589-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/896-347-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/992-310-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/992-229-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1096-81-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1096-150-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1096-199-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1264-442-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1264-588-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1360-586-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1360-431-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1368-59-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1368-120-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1536-329-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1536-148-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1536-262-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1596-585-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1596-430-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1596-274-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1652-191-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1652-116-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1704-167-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1704-137-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1708-619-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1900-510-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1944-166-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1944-105-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1980-608-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2036-309-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2036-251-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2152-490-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2164-525-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2164-419-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2416-0-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2416-23-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2432-240-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2432-317-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2528-498-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2528-587-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2528-360-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2708-590-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2772-41-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2772-20-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2852-263-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2852-301-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2880-618-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2880-452-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2932-571-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2932-509-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2932-373-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3060-128-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3060-183-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3060-70-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3068-497-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download