def3b7ba5b2651941218d77272bcb2fde5d6e91ea64507fee316d4085a18b244

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 21:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d237f885015bacd32483f7d4135d1df.exe
Size

488KB
MD5

1d237f885015bacd32483f7d4135d1df
SHA1

1f01e2174ee2b300cf5c74d7df0bfaee11a57f78
SHA256

def3b7ba5b2651941218d77272bcb2fde5d6e91ea64507fee316d4085a18b244
SHA512

8447ae5500a602f7e763c81469e9f4e540c226565ad6a970d10675a75dd02c3ef3a02bce7be3c9b6f8c3bdd9318178bba2c8a62298c9b9bf7f23c0e309ff32d7
SSDEEP

12288:xHVPzjc6qD9ShYAk9FML7ke0fOlW6z11z1gx:xxch9r9hmlW6rz1

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	1d237f885015bacd32483f7d4135d1df.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	1d237f885015bacd32483f7d4135d1df.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	1d237f885015bacd32483f7d4135d1df.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	1d237f885015bacd32483f7d4135d1df.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	1d237f885015bacd32483f7d4135d1df.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1d237f885015bacd32483f7d4135d1df.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1d237f885015bacd32483f7d4135d1df.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1d237f885015bacd32483f7d4135d1df.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1d237f885015bacd32483f7d4135d1df.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Control Panel\International\Geo\Nation	ecEcMUgY.exe

Deletes itself 1 IoCs

pid	Process
2572	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2992	ecEcMUgY.exe
2280	RywYooIA.exe
2900	TWoMMsUY.exe

Loads dropped DLL 22 IoCs

pid	Process
2996	reg.exe
2996	reg.exe
2996	reg.exe
2996	reg.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\ecEcMUgY.exe = "C:\\Users\\Admin\\XkMcYIEQ\\ecEcMUgY.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RywYooIA.exe = "C:\\ProgramData\\leYAUwws\\RywYooIA.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\ecEcMUgY.exe = "C:\\Users\\Admin\\XkMcYIEQ\\ecEcMUgY.exe"	ecEcMUgY.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RywYooIA.exe = "C:\\ProgramData\\leYAUwws\\RywYooIA.exe"	RywYooIA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RywYooIA.exe = "C:\\ProgramData\\leYAUwws\\RywYooIA.exe"	TWoMMsUY.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\VuwMEgYM.exe = "C:\\Users\\Admin\\BYwQAIMo\\VuwMEgYM.exe"	1d237f885015bacd32483f7d4135d1df.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UOEQcgAI.exe = "C:\\ProgramData\\OewkMsYI\\UOEQcgAI.exe"	1d237f885015bacd32483f7d4135d1df.exe

Checks whether UAC is enabled 1 TTPs 48 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1d237f885015bacd32483f7d4135d1df.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1d237f885015bacd32483f7d4135d1df.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1d237f885015bacd32483f7d4135d1df.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1d237f885015bacd32483f7d4135d1df.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1d237f885015bacd32483f7d4135d1df.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1d237f885015bacd32483f7d4135d1df.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1d237f885015bacd32483f7d4135d1df.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1d237f885015bacd32483f7d4135d1df.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1d237f885015bacd32483f7d4135d1df.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1d237f885015bacd32483f7d4135d1df.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1d237f885015bacd32483f7d4135d1df.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1d237f885015bacd32483f7d4135d1df.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\XkMcYIEQ\ecEcMUgY	TWoMMsUY.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\XkMcYIEQ	TWoMMsUY.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
2620	1352	WerFault.exe	69
2972	2084	WerFault.exe	72
2652	2132	WerFault.exe	100

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
884	reg.exe
1508	reg.exe
2412	reg.exe
2988	reg.exe
1948	reg.exe
2492	reg.exe
2024	reg.exe
340	reg.exe
2696	reg.exe
2596	reg.exe
1624	reg.exe
2356	reg.exe
1972	reg.exe
2636	reg.exe
2836	reg.exe
1868	reg.exe
2404	reg.exe
1668	reg.exe
2656	reg.exe
1872	reg.exe
904	reg.exe
2980	reg.exe
2024	reg.exe
876	reg.exe
1084	reg.exe
1632	reg.exe
1924	reg.exe
1868	reg.exe
1032	reg.exe
1964	reg.exe
1508	reg.exe
1712	reg.exe
1496	reg.exe
2436	reg.exe
1748	reg.exe
2924	reg.exe
516	reg.exe
1632	reg.exe
1080	reg.exe
340	reg.exe
2140	reg.exe
2188	reg.exe
1876	reg.exe
884	reg.exe
2300	reg.exe
560	reg.exe
2328	reg.exe
1816	reg.exe
2528	reg.exe
2988	reg.exe
2928	reg.exe
2044	reg.exe
1948	reg.exe
268	reg.exe
988	reg.exe
2372	reg.exe
1648	reg.exe
2624	reg.exe
2140	reg.exe
2672	reg.exe
2496	reg.exe
2248	reg.exe
2856	reg.exe
1304	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2996	reg.exe
2996	reg.exe
2616	conhost.exe
2616	conhost.exe
2820	1d237f885015bacd32483f7d4135d1df.exe
2820	1d237f885015bacd32483f7d4135d1df.exe
2044	1d237f885015bacd32483f7d4135d1df.exe
2044	1d237f885015bacd32483f7d4135d1df.exe
1872	1d237f885015bacd32483f7d4135d1df.exe
1872	1d237f885015bacd32483f7d4135d1df.exe
1852	cmd.exe
1852	cmd.exe
388	1d237f885015bacd32483f7d4135d1df.exe
388	1d237f885015bacd32483f7d4135d1df.exe
2412	reg.exe
2412	reg.exe
2196	1d237f885015bacd32483f7d4135d1df.exe
2196	1d237f885015bacd32483f7d4135d1df.exe
2308	cscript.exe
2308	cscript.exe
1052	1d237f885015bacd32483f7d4135d1df.exe
1052	1d237f885015bacd32483f7d4135d1df.exe
1820	conhost.exe
1820	conhost.exe
1748	cscript.exe
1748	cscript.exe
1864	reg.exe
1864	reg.exe
2712	1d237f885015bacd32483f7d4135d1df.exe
2712	1d237f885015bacd32483f7d4135d1df.exe
1992	1d237f885015bacd32483f7d4135d1df.exe
1992	1d237f885015bacd32483f7d4135d1df.exe
1516	1d237f885015bacd32483f7d4135d1df.exe
1516	1d237f885015bacd32483f7d4135d1df.exe
3060	1d237f885015bacd32483f7d4135d1df.exe
3060	1d237f885015bacd32483f7d4135d1df.exe
1860	conhost.exe
1860	conhost.exe
2064	conhost.exe
2064	conhost.exe
1008	cmd.exe
1008	cmd.exe
1320	cmd.exe
1320	cmd.exe
1700	cmd.exe
1700	cmd.exe
3028	1d237f885015bacd32483f7d4135d1df.exe
3028	1d237f885015bacd32483f7d4135d1df.exe
1080	reg.exe
1080	reg.exe
2020	cmd.exe
2020	cmd.exe
2980	1d237f885015bacd32483f7d4135d1df.exe
2980	1d237f885015bacd32483f7d4135d1df.exe
2664	cmd.exe
2664	cmd.exe
2516	1d237f885015bacd32483f7d4135d1df.exe
2516	1d237f885015bacd32483f7d4135d1df.exe
1876	reg.exe
1876	reg.exe
1244	1d237f885015bacd32483f7d4135d1df.exe
1244	1d237f885015bacd32483f7d4135d1df.exe
2864	cscript.exe
2864	cscript.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2992	ecEcMUgY.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe
2992	ecEcMUgY.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 2992	2996	reg.exe	25
PID 2996 wrote to memory of 2992	2996	reg.exe	25
PID 2996 wrote to memory of 2992	2996	reg.exe	25
PID 2996 wrote to memory of 2992	2996	reg.exe	25
PID 2996 wrote to memory of 2280	2996	reg.exe	23
PID 2996 wrote to memory of 2280	2996	reg.exe	23
PID 2996 wrote to memory of 2280	2996	reg.exe	23
PID 2996 wrote to memory of 2280	2996	reg.exe	23
PID 2996 wrote to memory of 2128	2996	reg.exe	1317
PID 2996 wrote to memory of 2128	2996	reg.exe	1317
PID 2996 wrote to memory of 2128	2996	reg.exe	1317
PID 2996 wrote to memory of 2128	2996	reg.exe	1317
PID 2996 wrote to memory of 2764	2996	reg.exe	1436
PID 2996 wrote to memory of 2764	2996	reg.exe	1436
PID 2996 wrote to memory of 2764	2996	reg.exe	1436
PID 2996 wrote to memory of 2764	2996	reg.exe	1436
PID 2996 wrote to memory of 2652	2996	reg.exe	1435
PID 2996 wrote to memory of 2652	2996	reg.exe	1435
PID 2996 wrote to memory of 2652	2996	reg.exe	1435
PID 2996 wrote to memory of 2652	2996	reg.exe	1435
PID 2996 wrote to memory of 2596	2996	reg.exe	606
PID 2996 wrote to memory of 2596	2996	reg.exe	606
PID 2996 wrote to memory of 2596	2996	reg.exe	606
PID 2996 wrote to memory of 2596	2996	reg.exe	606
PID 2128 wrote to memory of 2616	2128	conhost.exe	1181
PID 2128 wrote to memory of 2616	2128	conhost.exe	1181
PID 2128 wrote to memory of 2616	2128	conhost.exe	1181
PID 2128 wrote to memory of 2616	2128	conhost.exe	1181
PID 2616 wrote to memory of 1988	2616	conhost.exe	1433
PID 2616 wrote to memory of 1988	2616	conhost.exe	1433
PID 2616 wrote to memory of 1988	2616	conhost.exe	1433
PID 2616 wrote to memory of 1988	2616	conhost.exe	1433
PID 1988 wrote to memory of 2820	1988	cmd.exe	1432
PID 1988 wrote to memory of 2820	1988	cmd.exe	1432
PID 1988 wrote to memory of 2820	1988	cmd.exe	1432
PID 1988 wrote to memory of 2820	1988	cmd.exe	1432
PID 2616 wrote to memory of 2924	2616	conhost.exe	1295
PID 2616 wrote to memory of 2924	2616	conhost.exe	1295
PID 2616 wrote to memory of 2924	2616	conhost.exe	1295
PID 2616 wrote to memory of 2924	2616	conhost.exe	1295
PID 2616 wrote to memory of 2688	2616	conhost.exe	1431
PID 2616 wrote to memory of 2688	2616	conhost.exe	1431
PID 2616 wrote to memory of 2688	2616	conhost.exe	1431
PID 2616 wrote to memory of 2688	2616	conhost.exe	1431
PID 2616 wrote to memory of 2956	2616	conhost.exe	1429
PID 2616 wrote to memory of 2956	2616	conhost.exe	1429
PID 2616 wrote to memory of 2956	2616	conhost.exe	1429
PID 2616 wrote to memory of 2956	2616	conhost.exe	1429
PID 2820 wrote to memory of 2360	2820	1d237f885015bacd32483f7d4135d1df.exe	1427
PID 2820 wrote to memory of 2360	2820	1d237f885015bacd32483f7d4135d1df.exe	1427
PID 2820 wrote to memory of 2360	2820	1d237f885015bacd32483f7d4135d1df.exe	1427
PID 2820 wrote to memory of 2360	2820	1d237f885015bacd32483f7d4135d1df.exe	1427
PID 2360 wrote to memory of 2044	2360	cmd.exe	1426
PID 2360 wrote to memory of 2044	2360	cmd.exe	1426
PID 2360 wrote to memory of 2044	2360	cmd.exe	1426
PID 2360 wrote to memory of 2044	2360	cmd.exe	1426
PID 2820 wrote to memory of 1712	2820	1d237f885015bacd32483f7d4135d1df.exe	1425
PID 2820 wrote to memory of 1712	2820	1d237f885015bacd32483f7d4135d1df.exe	1425
PID 2820 wrote to memory of 1712	2820	1d237f885015bacd32483f7d4135d1df.exe	1425
PID 2820 wrote to memory of 1712	2820	1d237f885015bacd32483f7d4135d1df.exe	1425
PID 2820 wrote to memory of 1796	2820	1d237f885015bacd32483f7d4135d1df.exe	1424
PID 2820 wrote to memory of 1796	2820	1d237f885015bacd32483f7d4135d1df.exe	1424
PID 2820 wrote to memory of 1796	2820	1d237f885015bacd32483f7d4135d1df.exe	1424
PID 2820 wrote to memory of 1796	2820	1d237f885015bacd32483f7d4135d1df.exe	1424

System policy modification 1 TTPs 48 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1d237f885015bacd32483f7d4135d1df.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	1d237f885015bacd32483f7d4135d1df.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1d237f885015bacd32483f7d4135d1df.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1d237f885015bacd32483f7d4135d1df.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1d237f885015bacd32483f7d4135d1df.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	1d237f885015bacd32483f7d4135d1df.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	1d237f885015bacd32483f7d4135d1df.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	1d237f885015bacd32483f7d4135d1df.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1d237f885015bacd32483f7d4135d1df.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	1d237f885015bacd32483f7d4135d1df.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	1d237f885015bacd32483f7d4135d1df.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1d237f885015bacd32483f7d4135d1df.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe

C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
"C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe"
1⤵
PID:2996
- C:\ProgramData\leYAUwws\RywYooIA.exe
  "C:\ProgramData\leYAUwws\RywYooIA.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2280
- C:\Users\Admin\XkMcYIEQ\ecEcMUgY.exe
  "C:\Users\Admin\XkMcYIEQ\ecEcMUgY.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2992
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
  2⤵
  PID:2128
- - C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
    C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
    3⤵
    PID:2616
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:2924
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\jCkUEIYE.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
      4⤵
      PID:2836
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:2304
      - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        6⤵
        
        PID:1872
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2596

C:\ProgramData\YkkwkEco\TWoMMsUY.exe
C:\ProgramData\YkkwkEco\TWoMMsUY.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2900

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1640

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2136

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1668
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2208

C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
1⤵
PID:1852
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:884

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:1948
- C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
  C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
  2⤵
  PID:1052
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\bGUkYIsE.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
    3⤵
    PID:832
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    PID:948
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1576
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:2228
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
    3⤵
    PID:2024

C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
1⤵
PID:2412
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\COgckoow.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
  2⤵
  PID:696
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1892
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2192
- - C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
    C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
    3⤵
    PID:2324
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
      4⤵
      PID:1884
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1208
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
  2⤵
  PID:1244

C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
1⤵
PID:2196
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\PaYgsMgA.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
  2⤵
  PID:1848
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2312
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2852
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1036
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
  2⤵
  PID:1976

C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
1⤵
PID:2308
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1924
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\OsggAMEA.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
    3⤵
    PID:1920
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:2336
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1972
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QOUwUIYM.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
  2⤵
  PID:1668
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1328
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
  2⤵
  PID:1948

C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
1⤵
- Adds Run key to start application
PID:3040
- C:\Users\Admin\BYwQAIMo\VuwMEgYM.exe
  "C:\Users\Admin\BYwQAIMo\VuwMEgYM.exe"
  2⤵
  PID:1352
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 88
    3⤵
    - Program crash
    PID:2620
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:1808
- C:\ProgramData\OewkMsYI\UOEQcgAI.exe
  "C:\ProgramData\OewkMsYI\UOEQcgAI.exe"
  2⤵
  PID:2084
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 88
    3⤵
    - Program crash
    PID:2972
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\ocwAIYoM.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1320
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1736
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - UAC bypass
  PID:1208
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2848
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
  2⤵
  - Checks whether UAC is enabled
  - System policy modification
  PID:2608

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1512
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:764
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1920
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1976

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2148

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2364

C:\ProgramData\tagYAEMM\joIEooIE.exe
C:\ProgramData\tagYAEMM\joIEooIE.exe
1⤵
PID:2132
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2132 -s 88
  2⤵
  - Program crash
  PID:2652
- - C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
    C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
    3⤵
    PID:2572
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:2428
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:2308

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2584

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\iaEEEYEw.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
1⤵
PID:2608
- C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
  C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
  2⤵
  PID:1820

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1732
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:3032
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\PCosMkEc.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
    3⤵
    PID:1880
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:2344
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1676
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:2840
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
    3⤵
    PID:1640
  - - C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
      C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
      4⤵
      PID:1320
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:2036

C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
1⤵
PID:1748

C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
1⤵
PID:1864

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2540

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2672
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2128

C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
1⤵
PID:1992
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
  2⤵
  PID:1636
- - C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
    C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
    3⤵
    PID:312
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:2836

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2848

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2540
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1736

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
1⤵
PID:320

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:312

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
1⤵
PID:1980
- C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
  C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
  2⤵
  PID:1860

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1964

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2032

C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
1⤵
PID:1008
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\dWsEsMQE.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
  2⤵
  PID:1588

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:3044
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1584
- - C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
    C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
    3⤵
    PID:2996
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:1632
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\fUkkgIww.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
      4⤵
      PID:2664
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1084
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:1816
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
      4⤵
      PID:1516

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
1⤵
PID:1328
- C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
  C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
  2⤵
  PID:1700
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
    3⤵
    PID:2172
- - C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
    C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
    3⤵
    PID:1876
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:1820

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
1⤵
PID:1620
- C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
  C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
  2⤵
  PID:1080
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\UmEwcUYw.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
    3⤵
    PID:1556
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:2508

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:904

C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
1⤵
PID:2020

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2336

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\iOAYkUwo.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
1⤵
PID:2908
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1508

C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
1⤵
PID:2664
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2892

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2480

C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1244
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2372
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LyssUcUY.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2728
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:2528
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1496
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
  2⤵
  PID:1728

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1008

C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
1⤵
PID:2864

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2428

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
1⤵
PID:1852

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2908

C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
1⤵
PID:1860
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2196

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2380

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2832

C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
1⤵
PID:2136

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1736

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
1⤵
PID:1056
- C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
  C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
  2⤵
  PID:784
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:616

C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
1⤵
PID:2272
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
  2⤵
  PID:2032
- - C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
    C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1052
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1584
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\REYkccEg.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
      4⤵
      PID:2908
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:2928
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies registry key
      PID:1304
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
      4⤵
      PID:2616
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SAAYwEMM.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
  2⤵
  PID:1592
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1980

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2864

C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
1⤵
PID:3032

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2380

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1388

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2956

C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
1⤵
PID:2556

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2016

C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
1⤵
PID:1328
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
  2⤵
  PID:984
- - C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
    C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
    3⤵
    PID:2616
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:1704

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2776

C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
1⤵
PID:1612
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2428

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2312

C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
1⤵
PID:1640
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
  2⤵
  PID:2604
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2192

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2220

C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
1⤵
PID:2848
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2120

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1100

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1620
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1008

C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
1⤵
PID:1372

C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
1⤵
PID:2272

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1580
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:3036

C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
1⤵
PID:2840
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
  2⤵
  PID:2140
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:1496
- - C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
    C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
    3⤵
    PID:1908
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
      4⤵
      PID:2140
    - - C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        5⤵
        
        PID:1820
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        Modifies registry key
        
        PID:2496
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iUcIwMsY.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        6⤵
        
        PID:2936
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:2776
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:2672
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        6⤵
        
        PID:2364
      - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        6⤵
        
        PID:588
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        7⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:288
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        9⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:1924
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:2736
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NgMEwMEo.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        5⤵
        
        PID:1544
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        
        PID:632
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:1172
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies registry key
        
        PID:2596
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        5⤵
        
        PID:576
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:1804
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1216
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1940
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\skYQosYc.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
      4⤵
      PID:816
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:1864

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2560

C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
1⤵
PID:1700

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2800

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:320

C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
1⤵
PID:2568
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\fOAIwskY.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
  2⤵
  PID:1920
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\kWYwIUgk.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
    3⤵
    PID:1820
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:1624
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2436
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:1084
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
    3⤵
    PID:2076
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:2148
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:2404
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:880
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
      4⤵
      PID:1356
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1584
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1556
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2996
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
  2⤵
  PID:1996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1924

C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
1⤵
PID:2208
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZgoEUQgc.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
  2⤵
  PID:1536
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1796
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:2300
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2572
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
  2⤵
  PID:1808

C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
1⤵
PID:1116
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\OuMkMAQU.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
  2⤵
  PID:2428
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1988
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2204
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1808
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
  2⤵
  PID:1496

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1748

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2036

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:524
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2552

C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
1⤵
PID:2600
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\mWgkQkgg.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
  2⤵
  PID:1976
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1984
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
      4⤵
      PID:1740
    - - C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        5⤵
        
        PID:696
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:1484
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        6⤵
        
        PID:1916
      - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        6⤵
        
        PID:3064
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\HmEAEEsM.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
      4⤵
      PID:2792
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:2024
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2664
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:1540
- - C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
    C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
    3⤵
    PID:568
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1668
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1092
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1608
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
  2⤵
  PID:1584
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1012

C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
1⤵
PID:984
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\DoEYMcwg.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
  2⤵
  PID:2140
- - C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
    C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
    3⤵
    PID:1728
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:708
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1148
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - UAC bypass
  PID:1036
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
  2⤵
  PID:2180

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1968

C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
1⤵
PID:2208
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\TOQMwAss.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
  2⤵
  PID:1960
- - C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
    C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
    3⤵
    PID:1816
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\oAoMswYI.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
      4⤵
      PID:2616
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:2800
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2664
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2352
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1084
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:1948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
  2⤵
  PID:1156

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2792
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1028

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZCcMkUkc.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
1⤵
PID:952

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2272
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\bIUQcQsc.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
  2⤵
  PID:3044
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1912
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1756
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2676
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1576
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1996
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
  2⤵
  PID:1660
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:988
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:816
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2712
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\OIMIwQAc.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
    3⤵
    PID:1208
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1956
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Suspicious behavior: EnumeratesProcesses
    PID:1080
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
    3⤵
    PID:2952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:1868

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2020
- C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
  C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
  2⤵
  PID:2856

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
1⤵
PID:516
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
  2⤵
  PID:2964
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:2520
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\aAIMEsAQ.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
  2⤵
  PID:1216
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2688
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2036
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
  2⤵
  PID:1976

C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
1⤵
PID:1896
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\TIUYsEYA.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
  2⤵
  PID:1740
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\ziwcYccs.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
    3⤵
    PID:2376
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:2436
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2344
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:1632
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
  2⤵
  PID:2532

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hiMkcwgg.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
1⤵
PID:1620

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2604

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1784

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
1⤵
PID:1304

C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
1⤵
PID:2396
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
  2⤵
  PID:1924
- - C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
    C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
    3⤵
    PID:1740
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
      4⤵
      PID:1584
    - - C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        5⤵
        
        PID:2008
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        6⤵
        
        PID:1516
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:1724
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2080
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:532

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jawMwYUw.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
1⤵
PID:2156
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:3044

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2508

C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
1⤵
PID:1432

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
1⤵
PID:1036

C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
1⤵
PID:2328
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
  2⤵
  PID:2240
- - C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
    C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
    3⤵
    PID:1556
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:340
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1372

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\viEEoccA.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
1⤵
PID:1704

C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
1⤵
PID:2156
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:432
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\gCkoEEYQ.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
  2⤵
  PID:2420
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2428
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2912
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
  2⤵
  PID:2492

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2220

C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
1⤵
PID:1080

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2660

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
1⤵
PID:2936
- C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
  C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
  2⤵
  PID:2204

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:2248

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:1632

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-83831677569177816112898484111292419198-1273054871872719618-723510155-501405320"
1⤵
PID:1884

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
1⤵
PID:1508
- C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
  C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
  2⤵
  PID:2108
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
    3⤵
    PID:2028
  - - C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
      C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
      4⤵
      PID:2640
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CEEUQswU.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        5⤵
        
        PID:1488
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        
        PID:2200
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        Modifies registry key
        
        PID:876
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        
        PID:952
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        5⤵
        
        PID:1592

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2996

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2080

C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
1⤵
PID:2076
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\TagEcEsk.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
  2⤵
  PID:2352
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1056
  - - C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
      C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
      4⤵
      PID:2428

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
1⤵
PID:2400

C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
1⤵
PID:1008
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\cGMUskYY.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
  2⤵
  PID:696
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2108
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\eoooMUEQ.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
    3⤵
    PID:1728
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\pqMocwMk.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
      4⤵
      PID:3060
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:2856
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QaEwowMQ.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        5⤵
        
        PID:2052
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        
        PID:1304
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:2016
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        
        PID:1588
      - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        6⤵
        Modifies visibility of file extensions in Explorer
        Suspicious behavior: EnumeratesProcesses
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pEckMYkI.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        7⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        7⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        7⤵
        UAC bypass
        
        PID:708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        7⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        Suspicious behavior: EnumeratesProcesses
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        7⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        8⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2820
      - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        6⤵
        
        PID:2936
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        5⤵
        
        PID:1804
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:2636
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:1012
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
      4⤵
      PID:792
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:2648
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:988
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:696
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\DAsUkMsI.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
      4⤵
      PID:996
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:2712
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:2356
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1848
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2840
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\XsMAgkMw.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
    3⤵
    PID:2572
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tscEooow.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
      4⤵
      PID:2616
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GiEgksEI.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        5⤵
        
        PID:1712
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        
        PID:2256
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        Modifies registry key
        
        PID:2328
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        
        PID:1688
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        5⤵
        
        PID:1908
    - - C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        5⤵
        
        PID:1924
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:2480
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2452
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:760
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
      4⤵
      PID:2964
  - - C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
      C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
      4⤵
      UAC bypass
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      System policy modification
      PID:2516
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2660
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:560
  - - C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
      C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
      4⤵
      Modifies visibility of file extensions in Explorer
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      System policy modification
      PID:2712
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2008
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\gkwgUEoc.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
    3⤵
    PID:2624
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:2428
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1592
  - - C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
      C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
      4⤵
      Modifies visibility of file extensions in Explorer
      Suspicious behavior: EnumeratesProcesses
      PID:1872
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:1300
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
  2⤵
  PID:1960
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2928

C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
1⤵
- Modifies visibility of file extensions in Explorer
PID:1484
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1036
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\eUgwUcso.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
  2⤵
  PID:2540
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2864
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\mGcIYEMQ.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:2228
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:2380
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:2464
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:2600
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
      4⤵
      PID:2692
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1732
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2044
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
  2⤵
  PID:1896

C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
1⤵
PID:2324

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1432

C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
1⤵
PID:2328
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\UIQEAIAU.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
  2⤵
  PID:1968
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2028

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2352

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
1⤵
PID:1080
- C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
  C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
  2⤵
  PID:1280
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\FqsUUwUM.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
    3⤵
    PID:2544
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:2328
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:616
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2308
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2736
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies registry key
      PID:2980
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        Modifies registry key
        
        PID:2624
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:2044
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        
        PID:2440
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        5⤵
        
        PID:2552
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
      4⤵
      PID:2444
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\rgkMoUgs.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
      4⤵
      PID:1640
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qqoYEosg.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        5⤵
        
        PID:2860
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        
        PID:2608
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:1624
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        
        PID:1056
    - - C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
        
        C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
        5⤵
        
        PID:1648
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:1632
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:2464
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2736
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:2856
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
    3⤵
    PID:2680
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\wCkIEQgQ.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
    3⤵
    PID:2512
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    PID:2336
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:1924
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:1996
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies visibility of file extensions in Explorer
      UAC bypass
      Loads dropped DLL
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2996
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bwMMQwUs.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        5⤵
        
        PID:1896
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:2652
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2764
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:1732
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
      4⤵
      PID:1612
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:1748
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
    3⤵
    PID:3048
  - - C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
      C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
      4⤵
      PID:2296

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2720

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2364

C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
1⤵
PID:1020
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\RAMcYYcI.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
  2⤵
  PID:956
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2076
  - - C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
      C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
      4⤵
      PID:516
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MSYMsUAA.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        5⤵
        
        PID:2656
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        
        PID:2108
      - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        6⤵
        
        PID:1564
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:2400
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        
        PID:2140
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2036
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2968

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2220

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-11196695718854021301986004407-7100654891309947504-1415545622-1493265725899733950"
1⤵
PID:1028

C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
1⤵
PID:1896
- C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
  C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
  2⤵
  PID:1700

C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
1⤵
PID:1216
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
  2⤵
  PID:1732
- - C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
    C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
    3⤵
    PID:1908
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\mqYcUIEY.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
      4⤵
      PID:2188
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:656
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1712
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:2596
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
      4⤵
      PID:2932
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\fYQQQIgo.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
  2⤵
  - UAC bypass
  - Checks whether UAC is enabled
  - System policy modification
  PID:1948
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1512
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1592
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:2492
- - C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
    C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
    3⤵
    PID:1984
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:268

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1516

C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:2196
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2324
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\fEIssQQQ.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
    3⤵
    PID:2696
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:996
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2552
  - - C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
      C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
      4⤵
      PID:1920
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:2148
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
    3⤵
    PID:288
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\PkEQsgUA.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
  2⤵
  PID:2572
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:1624
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1916
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2928
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
  2⤵
  PID:588

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:784

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-164878903534353130-1167812934-485159573-1887181392-1168800639-2015434936353768597"
1⤵
PID:2080

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2776

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\IsMkcooQ.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
1⤵
PID:1960

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1812

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1496

C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
1⤵
PID:2140

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
1⤵
PID:2648
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:1708

C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
1⤵
PID:2052

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "633540903-1774113677-127391772914305083081347326321141871980817862364681774561265"
1⤵
PID:956

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:764

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-10996737614242556072112546069-279811280-348278670-17731126511326301798-1937622214"
1⤵
- Modifies visibility of file extensions in Explorer
PID:2836

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hgcgocMI.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
1⤵
PID:2600

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:900

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1100

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:2032

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "971084393-8383949218019446535717323611494263085-374422180247737149-542967787"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1860
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\aEIoIcwI.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
  2⤵
  PID:2200
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:1964
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2356
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Suspicious behavior: EnumeratesProcesses
  PID:2020
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\KygscgUQ.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:288
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:2748
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:516
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:1616
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
    3⤵
    PID:1584
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\umwQwgEk.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1852
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\QCsIcUMQ.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
    3⤵
    PID:2684
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:1508
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:1596
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
    3⤵
    PID:2204
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1208
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1944
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1944
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2396
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
  2⤵
  - Checks whether UAC is enabled
  - System policy modification
  PID:2108

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RiQsAQEI.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
1⤵
PID:2648

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2856

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "19028230511918107341-1548607867966883761-1982498063-958148698-3986854262039087028"
1⤵
PID:2544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1516
- C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
  C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
  2⤵
  PID:2572

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2728
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
  2⤵
  PID:2552

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
1⤵
PID:2872

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2324
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\VUwocsUk.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
  2⤵
  PID:2360
- - C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
    C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2044
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1708
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:2924
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:340

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1128101778-2021398441779246355-1169289928-1062535701-4379870686681213391338006826"
1⤵
PID:1432
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\DEggYcgA.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
  2⤵
  - Checks whether UAC is enabled
  - System policy modification
  PID:2312
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1976
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:340
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1708
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
  2⤵
  PID:1756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:900

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
1⤵
PID:2552
- C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
  C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
  2⤵
  PID:2984

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\oMYgooEI.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
1⤵
PID:2240

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:2024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:388
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:2988
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:2928
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - UAC bypass
  PID:2600
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2664

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:3028

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1700

C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
1⤵
PID:2580

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1980

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CqoMcEsw.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
1⤵
PID:284

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2860

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2428
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\mAoIsAkg.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
  2⤵
  PID:616
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2192
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1204
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2300
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
  2⤵
  PID:2692
- - C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
    C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:1032

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nIAgcAgY.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
1⤵
PID:1916
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\yEQAgkcA.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
  2⤵
  PID:1972
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:3044
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2256
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2116
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
  2⤵
  PID:2552
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tkYMYkYI.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
    3⤵
    - UAC bypass
    - Checks whether UAC is enabled
    - System policy modification
    PID:1116
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    PID:2516
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\DEAUcIsw.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
      4⤵
      PID:2848
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:760
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      Suspicious behavior: EnumeratesProcesses
      PID:1864
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\GkUwowcM.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        5⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2624
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        UAC bypass
        
        PID:2156
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:2740
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        
        PID:984
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
        5⤵
        
        PID:560
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1700
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pgowkUAs.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
        5⤵
        
        PID:1756
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        
        PID:2600
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:884
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1536
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:884
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:588
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
    3⤵
    PID:2800

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2004

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1556
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\ciQYUYwM.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1008
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    - Modifies registry key
    - Suspicious behavior: EnumeratesProcesses
    PID:2412
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:2240
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    PID:2220
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
    3⤵
    - UAC bypass
    - Checks whether UAC is enabled
    - System policy modification
    PID:1640
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2532
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1616
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1896
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
  2⤵
  PID:1300

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
1⤵
PID:3048

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\maAYkggg.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
1⤵
PID:1580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:560

C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
1⤵
PID:2256

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vAIQgsoA.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
1⤵
PID:2108

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1604

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:784
- C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
  C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
  2⤵
  PID:516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2004

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
1⤵
PID:1056

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2044

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2200

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qEowwUMQ.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
1⤵
PID:1676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:1080

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1600

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
1⤵
PID:904

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1812

C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
1⤵
PID:2784

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-11144674092012714218-88684570120384348161482546632-21348984111749481957498290584"
1⤵
PID:2568

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1868

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:3060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2248

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2040

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
1⤵
PID:784

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1817219917378256511139199089-1574837932-770624832-528961339-502953454-1022821544"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1540

C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
1⤵
PID:1916

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2064

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XGkcEYIE.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
1⤵
PID:524

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:2140

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:2656

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1356

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1820

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-19276374791126151283-1983179197-93819801738969844020714436009412628782143055421"
1⤵
PID:808

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "16652575622285060551480450384-180577884920534664021517829967-1191875055203988540"
1⤵
PID:2968

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1096

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1691885695-786475148-867582075-126543257-1528067236-614601710-1069472776-2004141530"
1⤵
PID:2892

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1368733124-1089050175-129625249519901416412143723783-729456415-2054715029701300237"
1⤵
PID:2932

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GukwAckY.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
1⤵
PID:2188

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "10155402619621876511400936101-1472075955984751164-606395369-970845014-1097223017"
1⤵
PID:2852

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:1668
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\HwQwAYQQ.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
  2⤵
  PID:1960
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1116
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1156
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1092
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
  2⤵
  PID:2640

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-48788598-1989386709957360258-1963886575-984086546-14574580181421673521-1737609430"
1⤵
PID:2024

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1228

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2936

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
1⤵
PID:2088

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "99598074-9323837631501513837990719383-129673264150290603844994515-884473176"
1⤵
- UAC bypass
PID:1812

C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
1⤵
PID:1424

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HmAQUEQI.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
1⤵
PID:2860

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:708

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2780

C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
1⤵
PID:1280

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
1⤵
PID:1040

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-20770125391002912032-579316639410559064-276170647-486844520-1162786448378800841"
1⤵
PID:1980

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "626302697125288353712237682241021083295-1102096490-2014583016-1226110165965562968"
1⤵
PID:1544

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1950693977-1550924513-1537465470-18904608542052653579-2080456742574870692-1834754097"
1⤵
- Modifies visibility of file extensions in Explorer
PID:880

C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:1668

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-910969975164636611111501689571683890871-12644877651774312556-526671676-1817354125"
1⤵
- UAC bypass
PID:1604

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12593330081959545368881071994-957384761-1843909486-1436486378-890870934-1234476759"
1⤵
PID:2872

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "589471047346183611-481023149-184788139914146549981838158608-683505951-1450774687"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1356

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-648755533-17700764402009325042-1012641774-1969060658682689807-1364670654-405347401"
1⤵
PID:1040

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vkwgkEco.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
1⤵
PID:2672

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:3028
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\ykscQowI.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
  2⤵
  PID:2860
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:1084
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:616

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
PID:904

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:2192

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-59259736710530293891205000639-2074742395750508183551682954-117371145022947927"
1⤵
- Modifies visibility of file extensions in Explorer
PID:2300

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\kgwEkoMg.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
1⤵
PID:2540

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-508914625-13001305771432078381-9918912328731124684762253111605098611033098760"
1⤵
PID:764

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies registry key
PID:1972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:1872
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\CGYAMAcI.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
  2⤵
  PID:760
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1588
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2788
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
  2⤵
  PID:2116

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
1⤵
PID:2652

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QsgwEcgg.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
1⤵
PID:1732

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2997909-1247171363-1324685046-1810524000660786116689417340-1835013931592635370"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1608

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1328
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\zKoMAosg.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
  2⤵
  PID:1512
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1996
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2684
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1584
- C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
  C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2980

C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
1⤵
PID:2404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:1868
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\eaEsccQg.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
  2⤵
  PID:3044
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:268
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1516
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\hAIwIgYE.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
      4⤵
      PID:1588
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:640
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      UAC bypass
      PID:632
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:1648
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:2720

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
1⤵
PID:2528

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-387834345-757113499540917229803283229-1994749935-17620352481341011053-1206072581"
1⤵
PID:2656

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GoQYIosY.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
1⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:656

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1964

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:632

C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
1⤵
PID:2556
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\VoIMMcEk.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1916
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:1148
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:900
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:1032
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
  2⤵
  PID:2296

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1189606189235744989-202849638620627107151959621461-416685508-1006632305-710558692"
1⤵
PID:2784

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
1⤵
PID:1736

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "520475646-1143621225-1840168874968038618-2025585043-16522398461140798810-1980557538"
1⤵
PID:2832

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LCcwosUw.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
1⤵
PID:1896

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:2480

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies visibility of file extensions in Explorer
PID:1388

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
1⤵
PID:1300

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1479572584-215682792-400003272633517406-1864229609-1806775571680828090-2145707712"
1⤵
PID:2444

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1369733796744094790544589361400959414411788991912442086875550592-1646676090"
1⤵
PID:1372

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-6075823785671478301629839845-140404625492300352-904474698-4740309861265446135"
1⤵
PID:952

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "64047946-1521114371563751192-1149557375415031353-1365246726-1594598135-460710398"
1⤵
PID:792

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-107351968-1053426128102223199315627670751952661152498001367-1815411470280783378"
1⤵
PID:1940

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TwgsEIog.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
1⤵
PID:2040

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:1424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2492

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
1⤵
PID:1944

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "555555046-1073089892-428029722102316811424506289-13094668302060608233-1441542809"
1⤵
- UAC bypass
PID:2648

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\maMoMwgk.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
1⤵
PID:1536

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2464

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-5822517301277722965268202991362950349-1046641298-201688229-15908127691545487276"
1⤵
PID:2452

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1056
- C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
  C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
  2⤵
  PID:2552

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "9743656195513374110750930361983122717-1627625872-1991846370108754762115533078"
1⤵
PID:2540

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "850115011-1114543276-1322353203-1394740079-1142688974-125975080215283231871550574559"
1⤵
PID:2256

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1952

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-310056393626775723-10564932411344649134-815442176407590067-1330306365-552902832"
1⤵
PID:2780

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "298181198-1196685777-1821164415-793559922-1413945034-764277350-1703850254-300476059"
1⤵
PID:2172
- C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
  C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
  2⤵
  - UAC bypass
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - System policy modification
  PID:3028

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1716657070-2030516936-10093367601226381518-799222150-2286107051027624908925904965"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1600

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1199252488-2068008081-5189918181308952578-54974459-20047145981359578181-1383519918"
1⤵
PID:2112

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "372358944-1093995522-17018899241936203555-219688694-1033847942002929201-1893209572"
1⤵
PID:2344

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "20248896121743676259-13978427949827357158167779531259030400-755647101-1778029219"
1⤵
PID:2028

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1009822361853672822-171182931-395431269-2360273421351201015-955689764-1394550299"
1⤵
PID:876

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "16794169552003494876-1382246509-4246998491156762000-2092746617-475072295-1765047343"
1⤵
- Modifies visibility of file extensions in Explorer
PID:2004

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BeYMEokQ.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
1⤵
PID:2108
- C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
  C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
  2⤵
  PID:2064

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2148

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:1508

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:984

C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
1⤵
PID:1868

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
1⤵
PID:2096

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "40046876619497022651241725676-1903866994-52769842-2058145035261071475-167053598"
1⤵
PID:1020

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-134162610517132201181457348791808417101-7029641441929004617500583991480827028"
1⤵
PID:1660

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1539125706328973799-3821521831253191006-552782451910900914-509401127-291894896"
1⤵
PID:2660

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-151189306513907645511803917630-46548216134130536495044460511464178641817369921"
1⤵
PID:1704

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vqwQQAEA.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
1⤵
PID:2316

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:616

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "157966533115451233387196298-1258453677-2078052662-434496677-9608948521532960943"
1⤵
PID:2272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies visibility of file extensions in Explorer
PID:696

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1912

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-379898336-807403304-2056919584632563642-957175116-1900386509-520747785-1489996757"
1⤵
- Modifies visibility of file extensions in Explorer
PID:2120

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
1⤵
PID:1796

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:1976

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1080
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies visibility of file extensions in Explorer
  - UAC bypass
  PID:1708
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2720
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:2372
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
  2⤵
  PID:2220

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nCckYgwM.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
1⤵
PID:2788

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1816

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:2188

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1041715739172418060371144772-162075887-7863166101366313103-2010387104-1633890103"
1⤵
PID:3064

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\kekEIMcs.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
1⤵
PID:1868

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "507319362-1913899519449984237-1050399114-1482302267791071741139782395-1891149843"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2616
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  PID:2956
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2688
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
  2⤵
  - UAC bypass
  - Checks whether UAC is enabled
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1988

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:2624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies visibility of file extensions in Explorer
PID:1924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1716

C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1992
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\GOwAAQUo.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
  2⤵
  PID:708
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:1216
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2664
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:1196
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
  2⤵
  PID:1664

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1328466901-1229530272-842252904-1349918107424873551-3010954591459399846-1915911059"
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:2856

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "187799544514405126151994170400-1063300885-1656640469-1544702614-1041823761-191807654"
1⤵
- UAC bypass
PID:1972

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1827175536-834460894-78794526414485195172146480141573228515887529081-2069791548"
1⤵
PID:1892

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1675162783337102506-867836184-1408879638486296693961494608-421308790-313803063"
1⤵
PID:1612

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "466136729-1456521029-755964696-1471394399-4413048117571875151983004861-103195820"
1⤵
- UAC bypass
PID:2352

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\lEEIYssc.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:2148

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:1848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2672

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
1⤵
PID:2404

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:1988

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "3200335256478001041361905470-1842190029-12696495221088790236251785487-1122404996"
1⤵
PID:2008

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1914057657974892840-813010200158323409412382876951293132710-1641525292362509750"
1⤵
PID:3036

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TYUUggYo.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
1⤵
PID:1512

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
PID:1524

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:2988

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:1596

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
1⤵
- Deletes itself
PID:2572

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-4275837012094933430-2109824902-1527975072076756482-1823278966509601427-859137258"
1⤵
- UAC bypass
PID:2136

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "20761273418489073676041078061080430802-1615221953-197576210715837389751399746962"
1⤵
- Modifies visibility of file extensions in Explorer
PID:2356

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1258524417-1830636196-91377295726424773-61212848015153153944509942142515012"
1⤵
PID:2492

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1632780224273477298-771681281127142321379280787016441113656685520511915046112"
1⤵
- Modifies visibility of file extensions in Explorer
PID:616

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1323824588342999665452286295-1309343650-82385736117649979992114908222-1738804612"
1⤵
PID:2208

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2984

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1223033600-143465908-1971054690120979471014389305382075029176-5616705871208060154"
1⤵
- UAC bypass
PID:2324

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1029949353-1014669865-1843983603-1584858273-726993294-12870542062791911691233766064"
1⤵
- UAC bypass
PID:432

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1025229174-5402458801762980442-16648787291739585812224602741520242696-642964964"
1⤵
- UAC bypass
PID:996

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-142498376111790340-1740082366-181231909-18605701016276582201358782651-935792602"
1⤵
PID:1488

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-686094994555485057152211157762100017686059827158506067-1942356339-665270674"
1⤵
PID:2296

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-478549944-505047484-1120106069-509260640-24724313520669386631677786004414804643"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1868

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-374100680-283999320-810693300-16091437591678308113952076245-65735073-497672779"
1⤵
PID:2096

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TOAsUoMQ.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
1⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:268

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:1304

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:2788

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies registry key
PID:2140

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1704948865143008609-454545380-4358444791327490126385052766-11646977-1664747660"
1⤵
PID:2908

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1122333336-11605595418698936311531827464350241116-2021209233349568934-2223802"
1⤵
PID:340

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:312

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-448092703-2034145180-1580160571-1309419684369610227-163721958416448023411291870561"
1⤵
PID:2924

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\JWgAwkQs.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
1⤵
PID:2364

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
PID:1908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
PID:2532

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1894645550144015643210065313021081742114-296734256-708105932694553073663159257"
1⤵
PID:2984

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:1148

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2064783400714951637-1846301986826233123-1844113781325305525-15053636961013904093"
1⤵
PID:2088

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1371575309-8502102381443794489960467755-2669167271736996246102733085983432770"
1⤵
PID:2420

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-19256485091915302263567505489-1963568796-4165210701745922058792333422007026106"
1⤵
PID:2404

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ogogkMIg.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
1⤵
PID:576

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "789556952729561866-1440821074-120518108313644981032183375012138581295-1961707371"
1⤵
PID:2720

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
1⤵
- UAC bypass
PID:524

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- Modifies registry key
PID:2044
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\iCEEMcMo.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
  2⤵
  - Modifies visibility of file extensions in Explorer
  - UAC bypass
  - Checks whether UAC is enabled
  - System policy modification
  PID:1496
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2240
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:2696
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
  2⤵
  - Checks whether UAC is enabled
  - System policy modification
  PID:1592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2672

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-571719135-770538076-157603621357939733744717046-1696151928171628835-2055944288"
1⤵
- Suspicious use of WriteProcessMemory
PID:2128

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-784890481-52146193111614034281858380844-1100262835-1121847821-1040852817-1126416850"
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:2220

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1822743157-1376306137-781411846189373841117139565861247718185190285704267344025"
1⤵
- UAC bypass
PID:2604

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "452955430-1281054491-1579027103-1894657822-1801789247-8622735351460566519-17156224"
1⤵
PID:2792

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1490183409-1147211413-12336939041868356465-71268651917602799421186036538-752319841"
1⤵
PID:2180

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-4781128701569860475-36984442315131239062214771911390914862467894774-339599174"
1⤵
PID:1300

C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:3060

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-343208167371399210-1478663226144486503-17824134821468686570-1313472683650390006"
1⤵
- Modifies visibility of file extensions in Explorer
PID:2248

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "296847835971827804-714537292-265324853-15866735871337413592-1771451898641543269"
1⤵
- UAC bypass
PID:2200

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "449537997208137665412293260811183402150-79304177740656164-986250211-2096572240"
1⤵
- Modifies visibility of file extensions in Explorer
PID:2396

C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1516

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1146705549285107995827155939-1640870502-550694146133056603-687968577-992740600"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1820
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\rOoosAwI.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
  2⤵
  PID:784
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:1620
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1156
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1172
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
  2⤵
  PID:1012

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "45200788-1873770371534474776-1658514964-1999966709-484456781332684276279515243"
1⤵
PID:2736

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-80959295331295422614602714201667085195760443997-1499079301649188621715903767"
1⤵
- UAC bypass
PID:2436

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1121789755-6397684311417574892159209595016056971931876381233-2035955005834199743"
1⤵
PID:1576

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "63874534-1685736589-1169786017-19396974-171122053488881821005697155876718400"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2064

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-14107290761134909643-150255721792915940018606035241258381664-772675337-1922962840"
1⤵
PID:1564

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1687795218-1812060421792799629584937565-1010681676123802617118950906741533154392"
1⤵
PID:1280

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-11269941731254691991-19217105531655612329557107760-113463369310194373301808260842"
1⤵
- UAC bypass
PID:2036

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12105649951759375432-1842129864-1539868699-1468631915-2121770746-586794025-1161710986"
1⤵
PID:2496

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1657560565-1716634630-1186699674-1140575554-4513142221636243799-5806028301845000041"
1⤵
- UAC bypass
PID:1228

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "370020530-1228473320339359815-1122365629-1950847773-1132747593-1706943259-38545289"
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:1084

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2095884573-792885375-1435032357-1934662376-1629524662-4393257351306593559-925184890"
1⤵
PID:1688

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1322955130-1291604257-678481477-182751494611819458002281251452001070607-1651606368"
1⤵
PID:532

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "270970421-1494394910-308903693-180049629-2048185908746553950-2045509031895150001"
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:2428

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
PID:2800

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1934740657-6795137995260318851087544940698110205336109033-2035846860-594951483"
1⤵
- UAC bypass
PID:1584

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "76422723-6411121741868393507-675516462-18485116411146534701777169309148961374"
1⤵
PID:1756

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "266937470-2061905467-141300481803368932822631744162350811-1565682765196951006"
1⤵
- UAC bypass
PID:2532

C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe
C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:388

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1711435031597627144-100085622369231809-1091951167-417666769693268648-841102685"
1⤵
PID:1100

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
1⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:1804

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "251895430-371689352-4065208531320714560439677419-7721559071954006076-458498737"
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:1912

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "3551443141424677119-228499119-2001900836-206481433414673078011089758442962075232"
1⤵
- UAC bypass
PID:1624

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1879735510-911712723595385185-151076486-213902716033702492219559307271184352419"
1⤵
PID:2328

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1362304890-347471992317904112-1084849820-1867159117112749358711031730631164683320"
1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:588

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CugUcIgg.bat" "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df.exe""
1⤵
PID:1352

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1154086650-13621302601882467205-259295277469305929-603496678-138598329698993312"
1⤵
PID:1012

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1681636127-17037675514138720787121056491724776432026737488-20157954451899572198"
1⤵
PID:576

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "40073332518879852821820993487-1071932194-34513846068445262510310450661652774878"
1⤵
- Modifies visibility of file extensions in Explorer
PID:2140

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "781873949-1419245230835286364-1170967230-15417042481011159737-13023816261713498767"
1⤵
PID:284

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1309422639-98312578610834954239913090-93455383626330803015732054291253265599"
1⤵
PID:320

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "836880373707343365658050284-116923735-1917429643-1686188243983642206663474218"
1⤵
- Modifies visibility of file extensions in Explorer
PID:1732

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
1⤵
- UAC bypass
PID:1796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1712

C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df"
1⤵
- Suspicious use of WriteProcessMemory
PID:2360

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "553207761120060515-149860792616962847878085824114227029031627131782769142924"
1⤵
PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp.exe

Filesize
483KB

MD5
473cd567aa133f4f15163cae02f77552

SHA1
7a2048394a3d70b30151d4392d9613c255c79404

SHA256
0f140a7899fe81e14a929fa8248de861e033a2366b2ba1a7dce387e3a2beb83f

SHA512
a73115ba9aed3739e2607782a39e3ca55ceb118dcc7dac64208047f5438fe03c054c38be33a5739b8bd7f6525f57bd9581074a1768361c8688707d80f46e7efa

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp.exe

Filesize
484KB

MD5
fdb363eb0c7b30abce01a1681e23310c

SHA1
b1749c8798356f5d041785703de228487e9334fa

SHA256
b640e797bd19c339e64f8e3490b5794b9ed64d576b938c8643ae0c720f71d149

SHA512
8203d54ea92215c6eb3467d59f21c63cc3072b00766fce41e9df9cfac864836448b4b54d166c53f904948c83d22829abc5b6a2a5e7fea8d8738995644f234822

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp.exe

Filesize
483KB

MD5
bf79976f9c3a915a2fdaefa847b98341

SHA1
7484e6d082a352ab8618738a074c7743120eef3f

SHA256
fb41685088cb7f8c9797c0bd6223cbd237843b421f4e10872de2a4808a07b274

SHA512
ba5a58b419e96290f6d8605c2af0e0c342dec254f0c2ac1c84878c6eb340d8c864e7297bf66fd7f0dbf8394bfea5a6bfe5e20fd4988b633597c50c555d2b85cd

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe

Filesize
485KB

MD5
52c0579fd204e9e4773c0205e3ee8516

SHA1
b27ffe25d54d0165914f4ca341c222319dcee0bd

SHA256
c5ae51fa87d5ca39f32a57e619d9e8233d8b57e7891276647e6063b537db72c5

SHA512
beaf5806b8837c0bdfa7d6c4a4d5b11b66e3b21bbec075072fada56919e50d45e4b1168c466e13c8166443431b3d33a1948917091d941acaa812c80c2c135200

Download Submit
C:\Users\Admin\AppData\Local\Temp\1d237f885015bacd32483f7d4135d1df

Filesize
48KB

MD5
d342c2b5f3d16dc992db22cb737ad617

SHA1
615a98744fb22809454b706174597a4d6b6d128b

SHA256
0618d6fc5a05288bb126eb258fccfe7697e194022a57206671a172a39bc5e486

SHA512
4f773f0cb331d46e54f89db7af96be8cd72689cd85d6698d9737052ca088c30e9bc4064cefc277ab7b65b76787735956702f6c7b8f048cabe46c2117107953d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\AYAO.exe

Filesize
479KB

MD5
1b096e2b77559cf38482145063b889d9

SHA1
6d882550c695890fbf51790bbf6a5de252abd8ce

SHA256
3b20704241ae4b1705ce757e7809bea248bc8989c32d35025c89b5ad8c15a8a2

SHA512
79f6575378df635479ec6f9b585f5829e7b1be8f085b04e584b59664ccf877c65d4730e966a0ae91e795613c2d1628580a27255b52e8a6270b271c91683addca

Download Submit
C:\Users\Admin\AppData\Local\Temp\AgME.exe

Filesize
823KB

MD5
f0097ea2bcf82652a93643fb311aea4b

SHA1
f68dfd4c4944d83c02541b203fcb69c5a1c8d54f

SHA256
3058e8bf4b1b86ffbe5d9c61e695e3ee6827457ff14738c0b94dbf80f120e0fa

SHA512
b466aeb6f724c6fd7435890f25896e0d159a0178adece7c15560fe4fbfa70a2306776b5cade16966584326d4d18e3b631a5f072a32d71507c1ce38542f30ba9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AiwAIEEQ.bat

Filesize
4B

MD5
787dd5fd4b5ef73a10bdd51361cdb104

SHA1
f807dc0a360dfbf7a14842ff2cd4732d5466f7de

SHA256
6eb18f3bfc8a0a8366184eca731e79d255584e3ee129fdd4fe2b9786599fe8e7

SHA512
7ad9744f24e484a43e57b398efb427216d7a6405b3f9f804ca90441a3feb0c8b81f360c28f082a03ef31871623aba638085415e7fa36aac624d24ac9fa0460fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\AqQAccQI.bat

Filesize
4B

MD5
a608cf9233c80f06d688db8294a5d78c

SHA1
2a09f270ee5d327bbaa7b1b3975023e41c0bb5bb

SHA256
52c2f334bc9fade06a066c83b8ab4675e8a592e791a6cac0287abcdcff2aae4e

SHA512
e15663b92bad951f3c9df26a74d56413f74f85e158743cc8944595f4118f0a178b559fe06768d986640464f71350fdd833d0e4d488014b45cbe7422bdc2e0771

Download Submit
C:\Users\Admin\AppData\Local\Temp\BEYs.exe

Filesize
462KB

MD5
d2e6e27172c22e90dbd7a96ed7b319c6

SHA1
defe7b40715914ac43073c0b26f32fa6fca38e18

SHA256
e3c5ddc4c599807747f975a84d92d429c31bc5ceec8c3f884dce9f3b7cbe0c19

SHA512
e17302bcf153eeec0ceddb09dd33b067f2ebd69adb4c7cdb8dbdad489625de2beb07876674dfbf477cda115fbed5b2185db87db893170a4c9e0f32c7ef7f21e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\BMAe.exe

Filesize
484KB

MD5
00210f7ca4d5a9b74d12a7f37a3bf842

SHA1
b94d7378f9b6330dc48b67a8fc46fbbbcae6d389

SHA256
ab77b859e19e43b74bdb55c5ca665dd51cdd421a03680e83a6e05f5f90795005

SHA512
c36707772500226bde401a8e2e935b2a2d34c6ffd1e9cfc1b1e811331f5fc301484d9af02ca109cfdc27841ff31159fd767fbaaed0e357c5f844e74b7056284c

Download Submit
C:\Users\Admin\AppData\Local\Temp\BgAO.exe

Filesize
480KB

MD5
18a82072749f99035e6822db22760abe

SHA1
3f3ceebb0b41c49bd30a475b47f3a638e3e1d955

SHA256
130dcc3c23325a54da2f9bf6518380e5adcba4e081b662ee36dfa2d4528fd06f

SHA512
16464a01f9ae17893ca3569e29dfb2e2ee25060afd0e0af14ef8f45242c3ae8cc86dcf0b0805cc30c07a32455f302f8a4be419f1f03a0ec1a9ccfc15ff861036

Download Submit
C:\Users\Admin\AppData\Local\Temp\BkIs.exe

Filesize
482KB

MD5
6768906d2f8729ef653648493f953b28

SHA1
cdf8cc3386b5280b9c1dee885502790f7917ad0d

SHA256
ca394143b9ac0063c528dbd7d6624bef45c189d977632b0839b76e507cd9b64b

SHA512
65e6749be591e4a10ca6b2b7bd5d07eb399e44be8602d60b3503c9db71e06faa6f14fe99f9890dc1d8da592446b6f3b6ae43e61d4003e4c8d2d956b0bbabcb8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\BswMAocw.bat

Filesize
4B

MD5
8d65f4a93f795d87ef9c4d1f7bce8174

SHA1
ec206d62312ecc82647b17726d2a041c5f1da681

SHA256
f72d70e96e5ff063930c8a654844274ae5267310480ef1d86d24c4b098e808b6

SHA512
326e4f9aa8d6e04e1ac8d420243a812b7fd130e357f5691d762027a089d6475cfe613a068a2177467d7e38f55ae47b16fd5adc738f4b01e6105736dde599c347

Download Submit
C:\Users\Admin\AppData\Local\Temp\CgEG.exe

Filesize
1.0MB

MD5
16c8282dbc9b82b8066d412477517990

SHA1
6816b7c19d8a0301a5773505693aae502c5fbf4b

SHA256
406bfb39e196ac55b1e7ca01d49f12b612d7a487e90e8df7297309aebe7d0ce3

SHA512
e3a3610f7c8c93bd523336e7a34231a7c0677a6498b27befb27f566a7b2b3f6e6aba0ea15d8f7797dab8e04a4aa36d73541cac2637179387a2c46185e129d737

Download Submit
C:\Users\Admin\AppData\Local\Temp\DEAQEAks.bat

Filesize
4B

MD5
adc25a13ef76991ab9a0344cd1beccb6

SHA1
191647fb6c166241614157a2829fa030cd6e796f

SHA256
5c1e50273028e99a82c9c6f85d6597afd5ec8848b77cd600361f57c8cc561cd4

SHA512
808603dc57d24f2e27697412ab21de48bb7f943f2bb808a84139468b71a52d693c490f4c660a246f68ff6dc88c5ef751a6db3b4ff13fb77fc9201581be8fe77f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DIYU.ico

Filesize
4KB

MD5
964614b7c6bd8dec1ecb413acf6395f2

SHA1
0f57a84370ac5c45dbe132bb2f167eee2eb3ce7f

SHA256
af0b1d2ebc52e65ec3f3c2f4f0c5422e6bbac40c7f561b8afe480f3eeb191405

SHA512
b660fdf67adfd09ed72e132a0b7171e2af7da2d78e81f8516adc561d8637540b290ed887db6daf8e23c5809c4b952b435a46779b91a0565a28f2de941bcff5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DMAO.exe

Filesize
1013KB

MD5
a88460ebe2f73d6ea2288e4f9656ae99

SHA1
e8df3812d6741ff0a1f13977c75b51266b4cf8c8

SHA256
d84d410594206823fd066f3f5a86972b17947844260706f7ac0cc2a4df01e38f

SHA512
d0c71b5b6b7ec62bf2aa40e6e9399479d9eea8f75b64a8f9d61e96fdf31d111b47e42a5e30bb0a4de59d021f34758e3b36767920dc7659cf602e2201ae19da0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DaAIQswE.bat

Filesize
4B

MD5
ba0dff331612dd1b2eee15ee439ad033

SHA1
b82d707649eec0274fed141b72cd49dadb8253ce

SHA256
08a3928e6e06b0538a02f173cc0dfb9ff56a93355645b558cc9235283a276956

SHA512
07ce83ae5f19013a37a72b13def70c6bab9299fcb3867e8243606cfb8758704ce4fffb30257c226b4383da66a5a910897de5371fdf3c7f2ba967dc4afdcfffbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\FMQw.exe

Filesize
1.2MB

MD5
8fdc98db09a57847fa44fc6fdf490265

SHA1
7087e934eee5dc7e2897ce0f051b62890b61756e

SHA256
6d448d1fc4825b3b29f2088be03cb6c9e05655572ec0787fbc034220c7a6ade8

SHA512
693020baabf5ba8bc73245d476c3f2d5206a43c449a7348e340af33640b2d4318fa5320066d071bee15fa806695baf5ae929672e2752922985c454305537e0c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\FeksEAgA.bat

Filesize
4B

MD5
b36337448ee73546a6abdef300237adb

SHA1
53ead37244b5816246440132c59f7022015994b8

SHA256
addd333bf3ac4c88cc616c73ac08d095e54eef16c811e1db8f3270daac8431a8

SHA512
a3f805d0e5ccd5145d9186c1121c669349e6e45ab7a0460af8a3de9c7f6bb84d2ab2b890037c73b1171a12535427a6d66a331cb3fef6593bdbaa4aa3a5fb991f

Download Submit
C:\Users\Admin\AppData\Local\Temp\FuwMAAog.bat

Filesize
4B

MD5
c1d731805b84533e87734e96554f36b2

SHA1
bf24045db0d5572ad40de0bf077f253e1aadcaa9

SHA256
a2c600f01f671743571f9259aa9b337e4167f6b4de0bd46edc05ffb43926f2e7

SHA512
0ad06794e3c2af7a683f783b82968eb51c1d92da747f1fbc53c55be6a84b7548b59e67f081317f40726de94ef7f3a3baf93d1cb3f0c80c7a2b96b68d006913ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\GMMY.exe

Filesize
962KB

MD5
73eeb2cef5c3c71151be6cbe7bbab304

SHA1
cdd38022ee0c21ee570e1f90f42596997be55e42

SHA256
336d1c017b6d58e4c04ffd3062f84925572d0f5138cd2b77c62bb3f0adb2a327

SHA512
13e2665cf51aaa736f797231a6a4a2da9ee97f0a20cb7605bd0ad9e640c69282d80fe896273ba1dc1512f6bd94cf42bb4382584b45b073b665be52e158dd6f2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GQQY.exe

Filesize
3.2MB

MD5
2878e52023fce0981ceb27eefe77ee01

SHA1
3013ce9a45ce5657b9ad3a873d6a0d8fe4ef3882

SHA256
9dd926795bb9fac291f3514336fd1e93780c2c6c42da534c1a0bf6bfd636820a

SHA512
83667049e0d97293180e7a8ccb864b8aa7ab80e3c1fa8b108f14df3016c990328d0d0d8c6a3ed8eebc7f0373e934b21721d2743052c6df2c45ca5e994d9aace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\GkwgoAUg.bat

Filesize
4B

MD5
03f2731c9ded06639913288ce44716b1

SHA1
12ce2629d608e2ee8bd84bf666c945d96a22de14

SHA256
dd530c16ab8658aebba93074d55e90db73b0f9dd4626d239e521fa2aeed7e413

SHA512
557c5d27140d515bbd7a36c7524b1719dc1df43855a6933c800a602765c6a34cef3f874ac8c85694ec7cc592e2caabb1f293aa96c419473ac3a262b07bd55868

Download Submit
C:\Users\Admin\AppData\Local\Temp\GoIu.exe

Filesize
473KB

MD5
c727f9fe04520fe9959b96eb26806cfe

SHA1
5fc16c26dfc10261ca20bdc6e8d50417e868f9aa

SHA256
bf89fe376e591b561f22ffc443e22129ef153fbf1f5299edf7827296527b9abb

SHA512
7d309219956bb82d89e3a1e6c00b7c4ac6445112f746b7b29f65486169fd5f4024ca1caaa01a7d31ba4d642478bd8040a34559c86ef6ffeb805f67a2c36202e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\GwwEUkkA.bat

Filesize
4B

MD5
6221d1d50b4e1e98e3eaf87ff9a4fcf4

SHA1
3a63c6f745ef7244d36318955a86a5f18db94e26

SHA256
cdd1f815a38b5330d57c92664691ed4bd3ee9854266f19e5a3fee7c3498bb806

SHA512
3d45f4da8786ed92168d8b23ca7b3fad940a3b97448033842523d0fcc2f0724e9b3473870bf2eea4a37f567eeb7bb7b809bc7a29179dc2fad8af7044d3a1644b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HAUE.exe

Filesize
482KB

MD5
e5e107e965e606c7eb2d9715ad37d585

SHA1
288dc78f377a88c3a915d7ca6846bed86bc1cd00

SHA256
318fa91dc174dac76ec46a603714a42e083fbae64b8b14c27f7dce7fe08a7d71

SHA512
5c2fcc17fb2e328d87724f9ffcf137ac7ca82fa318deda7285180de5215068d973a20d398b24d93daa7e887b17ed8f9250a3f471cf1e33e33063743e1879b067

Download Submit
C:\Users\Admin\AppData\Local\Temp\HAwY.exe

Filesize
470KB

MD5
3f17eeedb9a64877cc9b878bbcf5c4b4

SHA1
1549e543ec542de8b41c19a415e424ccad0ba71a

SHA256
130694f797f42aa097c28b796c517550f7faa507a57c63dfcbcd8f6ca21aaba8

SHA512
646cebcbe6681137e0fee3e936ea539f7585dee2ade6d5f86825153f609b79a8d065585071b1a23277e8cc3581e8269d234c9502ab900a72c0c3465e2c63353f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IAAS.exe

Filesize
484KB

MD5
89080a3b75ac0ee8a0109cdb4fcf107e

SHA1
a677612e61ae8b37f31687400e41dc150924e1a7

SHA256
b62435fceb55dbe452b72eea1a4236a3129b406266d5a5f80d01179e56a02f3d

SHA512
205fa65352c2473a6e1c41e3bacddd0ca837f45be19e9443d8b5e9beadd3f0e1dd267eeedcfb791408a213f06d3e7c77e65f7ba48ad656dd766d7bdbd4378dde

Download Submit
C:\Users\Admin\AppData\Local\Temp\IAcQ.exe

Filesize
481KB

MD5
32d0c6b3df49f8b9515df93bf2b02194

SHA1
bbd595c6fb6cdf94ac809653333bd57d0036cea7

SHA256
34de6293f99576c13107738073d66498e132cb1f508b7948ffa878f2682c473d

SHA512
7fc387df303f7c1ea3c7fb253143329fd1e5a657272a721d717a3d32c4aecb0e01a8602bb87b09c07fc990852930c3189fbc47739765fda2dc3a7d307fba8c17

Download Submit
C:\Users\Admin\AppData\Local\Temp\IeokQEUo.bat

Filesize
4B

MD5
b2e6dc93732e13fdc8722d129574b782

SHA1
243d43a16b78c86d4c41f137d5afee4926490ea7

SHA256
8835ea0745cdeaa7f739f3637ad7e7ab253ba685e14b1cbd370faeb5324f2c3c

SHA512
2a444631eb3ef6ec0da3192712bb14f01905b6bbab749e44babe94b778f587165c1b710c0ab358d34534609bf92e184bae3d9215bb3d36e3fbe2b82526419bcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\JCgAggYM.bat

Filesize
4B

MD5
3ebffdc065bdd5592ad70fa4e3ff7553

SHA1
0524e7cd7f8454cdbd78190b737f5a031867b725

SHA256
d3480620d45fbf9d19c845cd8074857824cadc8ced0ea43b0458fd2eeba9f410

SHA512
71297408e53288870dedaa5b7ce051e6461973c884b4cbaefa20c363682ed69ad1872e8b7fb0cf5538d1ec2147222dfa23579ea3681bdf686f0e49e4df734d3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\JeQYckAg.bat

Filesize
4B

MD5
aa98aa02e414f44c816287ee969100a0

SHA1
db514388c0f88f27eaf17428f1448e56be685042

SHA256
d596e623f492cb39c1e9efd159284c25884e6ef087394cf8efe16ffd320d0fa3

SHA512
658203514b6d4c3b9ebfe5417535835a90fc7c1caeecedfae07e98c01aeb2f44116bc338a607393d33d7c27fe6978ecd0ef58f8978b40d40e7508d445c9a421c

Download Submit
C:\Users\Admin\AppData\Local\Temp\JiQMMsYY.bat

Filesize
4B

MD5
82c9dea29ffafc5c8a240e49aed205b2

SHA1
560e17015d8277062d3c4b5148addc817fe8c819

SHA256
e75f8bdae4c5408c384297273a92ff7da4d762a43202f6615e7429f001fef444

SHA512
0f3a36a780a6806ceaffd830d0c541dc468c5161b44389f4318618be9350dfcc4d14155f5b8a616807c09177404facdc51a2c2ee4c32ef0759bfc0fe3edce095

Download Submit
C:\Users\Admin\AppData\Local\Temp\JqAwoAoY.bat

Filesize
4B

MD5
aada0d9886256ce031f15bb97273ba5b

SHA1
cc44dc97e1622a47dc5b78151362e8c6723a493a

SHA256
e7e5a1656429fe58eb6f498e389af393d2341a6f6537b666228901fe0f22b269

SHA512
3eaae62b43b2cf799e5267586c13f5055f26ee261179bef8360ae834401929b7b419f61062588a56d4bb1d130b63c5de8b8170fff1a914457c66b5c2b5dda83a

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEkC.exe

Filesize
479KB

MD5
15d791f6e56de853c4c48f5d500da557

SHA1
91765df36507593d7cdff1d289c321c105a693ff

SHA256
676d51feb41f1721b15ae501652c549f3bd9c42bc20dc37b4f416b597483ce6e

SHA512
18ac3c7aaf06b0fcdda6606eb0e5318138fef1ab4f649cbdeef62e139db346500896981359025d0db7f0f288553d05c65df066f13bbf5277f09f76a8f5e5fcbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\KYsI.exe

Filesize
482KB

MD5
6cf75ec4590f62d8320dc346508fb870

SHA1
baacbfa5bdd4e2bbec7bd6ed0d97b09164248801

SHA256
82a4e10e63f14f9a5d5c91be4fbd0f7a2d7bb5a667512f95c27cc2ed904342d0

SHA512
d0e7cef92a614dda6a142144f321ffa8ba177a3c7ff98ff8fc619c405a498e3339f14881a586002b66645bd3337591580b831cf42cd2203dcdb842bfe7c0c68f

Download Submit
C:\Users\Admin\AppData\Local\Temp\LEwm.exe

Filesize
558KB

MD5
ddb51962ddd8b5b8a9a82ceb29f5fd60

SHA1
e6d54e36094ad83d42a0c6bc03356373147936cc

SHA256
1fcefde6d219e3ff36bc43875843b7d9ecf4369f4318b4661dbcdb0cd7242ee6

SHA512
aad403fc4bf7f59a09c40cc00c8b73e90e98fa1f685f8e3da98441e4930ce26188a8c2509504c6c2d5c9cb4739d087147d4a531e9e72d1435b08f14a2b8d8ad0

Download Submit
C:\Users\Admin\AppData\Local\Temp\LKMQQIIw.bat

Filesize
4B

MD5
f39d2eeebb827cd5790eccf4bef06f2c

SHA1
9253099c0cd963322375eeb42348269c7cd6aeb4

SHA256
09e959eeb92dc97f8e028d6fe44a3407578193647944cd52d26a8ffe602533ba

SHA512
6f724d8b83638db54d9eaee49cdac698ef10c2d7829ebc071c9ecc9e929209107613691cc5fc2111db9fd6c72421a74386960d3fe61670b6621a31323f7bbb31

Download Submit
C:\Users\Admin\AppData\Local\Temp\LoYkYoYY.bat

Filesize
4B

MD5
9f3e1a1781d03bc37d8202e77ce249df

SHA1
4350308d5e2c229877919fd074c1ab56c13a8888

SHA256
68f9aa9bdefeb59cc40d6a8d38041f0930a9e7f139d6fe3d212c90a652fe8b07

SHA512
2ed190f0fabbe5dcda90ba4506f2cd67d9a794c89f462954b43f31473b7430c9ccea937dae82dd7e0dbd59ef0bf43a056533422d18c9166450bb9fb01888bc02

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMO.exe

Filesize
2.1MB

MD5
422182a473f26b95cf1da0995e3b1f2e

SHA1
e15ad344a7be4e08d75bd6e376773f80f0f6d9ec

SHA256
c071cb482f143f76ec073660832ec367de6dbdd466a3c578ecd1bd2c47e3fb01

SHA512
093e28f3aff3e9773aa19b6dcbd485a77ad77692bb99151bedb3776d66f4f6f42aa6b3e18d2ffd13a074110b2bcbdb91d93a0d23336472fb2fc0fa27a62ec2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MccYkMkQ.bat

Filesize
4B

MD5
fcccc9004507f14a1ed8984a38bc5bc1

SHA1
f80b53b65487415e1751ecc141bc8a84fa2210ea

SHA256
f5e4e5847ea6088beb8560ed04da49d950af76b4e5e84b8d549fa4eef79ee2fc

SHA512
acb0d77b87a5989174b4736ea9fa9b10900c39e4890efb7d27f6c6001783e4e7ac98aaf719a54f77d9e63971b9ca1657a3ced864de1f40c60fef7b568467cf5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MgIwgUAo.bat

Filesize
4B

MD5
8754c1ec9426d94f922c583b87f30055

SHA1
5a1dc20de2f887721f7a50733f61cc70e9a0723a

SHA256
fdadb1ebca6baf9d12c700dd856efabd92c5ea29a9457a65fb644c3f00d15ec8

SHA512
33160a246aed4abcee86eea92bd888f488e833a42f361273420f65d001948a9d152bf72bda2b6f5802213639c78a5b74d0b7bd98dbb41390441d55416cd91285

Download Submit
C:\Users\Admin\AppData\Local\Temp\NgcU.ico

Filesize
4KB

MD5
47a169535b738bd50344df196735e258

SHA1
23b4c8041b83f0374554191d543fdce6890f4723

SHA256
ad3e74be9334aa840107622f2cb1020a805f00143d9fef41bc6fa21ac8602eaf

SHA512
ca3038a82fda005a44ca22469801925ea1b75ef7229017844960c94f9169195f0db640e4d2c382e3d1c14a1cea9b6cc594ff09bd8da14fc30303a0e8588b52a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\NiUsUIEs.bat

Filesize
4B

MD5
b372697e709015e88fb90a451da52100

SHA1
895c5894de2284261a675390fba9c857e5f718eb

SHA256
4eec423d85c06e5006e44efe391efeaa539cad00d983865ace590703c248118c

SHA512
44722be48ac86309ee46d88117c02588b5136bed64a6166d16586dec865de2d1feb049a846c136b27f53ec44b6dcf967799803b902985ba2441325d98fe869e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\NuQkEMIw.bat

Filesize
4B

MD5
451427d8b1ee4cc3d2a03a57aede8608

SHA1
fbb9aaacadafc92513c70a6555c909ef4b01e4c0

SHA256
6b5466b0c63054f31b8253b6c08d03f5043c873590580102ff1e4f6ad8f73c29

SHA512
5a22c64e720ad91526db55014e95c6beb8b0510ae7af58430dc77bc2789a3e36713f6f96602e8166b45ed923fd04c2a05ad7c2357945574eb054f696ad34d2e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\NwkM.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\OSkEMwQY.bat

Filesize
4B

MD5
c54ae8a72a969920b053584fcd06a195

SHA1
30e4987c5918485a0b4269a707fa49ba46b80fe9

SHA256
6eac1a229757f49f9c8d7230659415bc1f4aa9f89d8377b364b2ffc1513ca9e3

SHA512
ec95196e361208654539f11dd96ee194608b83300b97e431dc9b874fd335b8b999bac17c37b4af8198b9ff83d0fade59d717afc3c3f93c699bd50d5a7255bbf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUkMAUIg.bat

Filesize
4B

MD5
4590f2b35ef84ccf65b7c416a77fe1ab

SHA1
0cfedb3d478cc199a7f9fef2edf8339a0e9e3c5e

SHA256
6b538fdc98dfd12cac691c4061b89e3b0dd3dee3388dce50c5d7c1232b588a8c

SHA512
48185fb4a3e500a19860f2322797f5f2f490bdaacf766c4633e2e8d2806bf5bbf4c8ab0051c1923771325b0b45ddc82964275dc55713f795e1a0a773b3ee6e0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\OYkU.exe

Filesize
459KB

MD5
d7f2f17575ba6ce2b43ffe908d1c7706

SHA1
6f4319b2bb1b65ee9fb0582a71771f2d677fe072

SHA256
a642e475eeb50f066d4972ec0ef54a9756d3de7c585a79959c8421733c13664d

SHA512
cc83e89c77c27e044fce73bfc41a46d2211b3f48f9e8b9aadcbf8bf2b4230977a966a3806bd989d4dd7298d9bee591ce8993b220822d2e707d401ec5571368ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\OsMs.exe

Filesize
478KB

MD5
52c07e23010971e3967f52da7fb0f24e

SHA1
09ee91d840a04b42b9ea950441c9b95c11661524

SHA256
409d5e53f2f224ca198bb105a49cade941388df93cef9515358960351716cf63

SHA512
7c22c4d929e4745bf2e8b6711b7b8085ff513b01442080941f4e3d8e9ac7d30783a0e45ec18f654138187a19fd5bad8f30437ebf769107c83e7bd0cc2eac9c38

Download Submit
C:\Users\Admin\AppData\Local\Temp\QGMosoAU.bat

Filesize
4B

MD5
29034a92ee55ea77e8767aa8b0a78c10

SHA1
7f26f5c969d13bc79f6de79809af8cc8497ce6fd

SHA256
a23a26bbee5dfe11dc7e1733fd977b12d658e0531c5262d34afb8c8c418497c2

SHA512
520ebbc5bff8acad689aaeef41cac1da78d8eb0ae70971421f57aa6e9b4515bc2499c5f1f5f083a9a9ee7873765e66821b92205afe9d7e8ccca2c74dd3a7f537

Download Submit
C:\Users\Admin\AppData\Local\Temp\QKcMgIkc.bat

Filesize
4B

MD5
383dbb20fc4e93dfa2671b6f4f145749

SHA1
6aba528a6150a4501880a60b1f6678df88b6c231

SHA256
00ad51158eb89aec79777ea6f9d8d8860bb123c8ab84aa612e0d0e1323d66e5a

SHA512
7f8ac6d23cbf0ff1ba13feaaf274042a48673e3ad0bd7a48ab713aefd60441630444947b36e54df0cc624f929ac8cf858be9169efc12b4362cd434abf42bb641

Download Submit
C:\Users\Admin\AppData\Local\Temp\RMwEwkAc.bat

Filesize
4B

MD5
480b90d04f27e85fde1457a832a4efd4

SHA1
6accd19688d3ad9d3101d285022d0e07adf4babb

SHA256
ceccfb3593912859f7be48844f376843e822923b168caae0a47b62533534f61b

SHA512
623854193e8ceb62b2f38166bbf7bf80e58c69b209533b3badaa44aff10cce5c4d7c1bf075d8a593c81aa1fff2925e00c46a53d8036bd2f44a26f53aaec13616

Download Submit
C:\Users\Admin\AppData\Local\Temp\RccE.exe

Filesize
480KB

MD5
09dea0902202ff446a4559b05b99335c

SHA1
df7e1b0d14ddd7707ffa428a358d45a2577e8204

SHA256
6d8079284f465b4362d0b663b832e3cdd2e77fce128208291a81d79da3c15474

SHA512
a353ce3b000110c3db95d4a272e99958b1012010c0a7e7a02bf881ca1aab0a1ab304d85e72760b2261215a37213ab47d79ea251ff2193dc91ed972cd5cb3ab40

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rowu.exe

Filesize
1.1MB

MD5
9dcbb6c7452dd52882fa32bef00741fa

SHA1
ccc97aca7dd14299c8af837816ad3c85c84d2fbf

SHA256
bd0c169fdbe1de0d13dcec61e3c20bf3c1dfa0ffcb0008b1bd628a39732370a0

SHA512
25d06c9d1617e13dd215bfc8f46c1d6db7df326201be0be1f5839c62af9f6b48ef7aa04086c850887b686c3eb34d068fa725b81c7f580a33d62ef4832c83d56b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIgQ.exe

Filesize
891KB

MD5
9100f0e2bc6c7f0e973c30016e977c1d

SHA1
9f6416338f18f7f1375016e057dd96f077feff58

SHA256
8c2945563e635649446e95cc736a413b06891235e370bffbf3aac61320fa6f05

SHA512
f18dc12c92867017117d4a906397c30af5e2484d9cf51bb5f941ae4b6a1c90600b1df294daef02438b6f1cc0df481a2b2bb2a9df28b5576e57851818b12ce4c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ScYUUAIQ.bat

Filesize
4B

MD5
74ce645090c40218a68acc89276f2aed

SHA1
7c6a9b91a4a48be90c56cb9b0a9e51a59564d9bc

SHA256
4844fb0a3bf77a24d34647f98c852714b479bf6264d05d40a78f7f753dee563e

SHA512
9ef958e566e08b7014c8308e8a8720126460566f4e32d148c2a4aec24fe01ddb49c4b321ae1a1a4f315304be81e54915acd924be483a701aff42a68232d40a48

Download Submit
C:\Users\Admin\AppData\Local\Temp\ScgE.exe

Filesize
483KB

MD5
de22832c00048762255bb4bf6ceef4e7

SHA1
3e9cdbbb73fcd802182402674236ed1abf01b065

SHA256
e67170d9fd7646ab7514e2f25cf614d44fecdfa29637c46b134cfce1faeafdfb

SHA512
de0769df06e00c1170d773d14322988b80b8645e9841cb44946ac02853f82de152074a330acfb09a731fb779c7d088d68d9d07a1c805a70bfa9ac38e00861e75

Download Submit
C:\Users\Admin\AppData\Local\Temp\SqIggkYM.bat

Filesize
4B

MD5
45c1f0a4c9a6edb126500ec0b27eaaf8

SHA1
9624a9011672e1ce7f0bbd036457e8712c72aa17

SHA256
b30a998cda5607303421fb81af8ccae21596a6616a573773feca747a347971d2

SHA512
0b35a6a838f92d6d180a6cd18041527b7ac7434020e961f2950d3451229a4bd2bc9fa553db810c825593842ffa854519ed5fc074fb8ec19bcd27bb86c2377136

Download Submit
C:\Users\Admin\AppData\Local\Temp\SwcYAIIg.bat

Filesize
4B

MD5
20fa7d559b6f1c90d9a6c0de58e34970

SHA1
86529cefdeeec9f88a5e1785d22f16e9c516ba3c

SHA256
86b3751037cc98a5b26479b71a68632a04734a9fea3e5d902d4a50290958f581

SHA512
f4c596877f0c46b63eedfb29d3282e4509586fd5aab2293ea0847cf27f6ea42911fa95f02b98881f84d0184c0d525f216fa548ee383865c9c29c2a0c61e5a659

Download Submit
C:\Users\Admin\AppData\Local\Temp\TIMs.exe

Filesize
92KB

MD5
87c5fa3950c3671ffb1658f096e1e71a

SHA1
c36e4ffdf05f8d260c6f8275c879f20726a1b96a

SHA256
ae8ac74d291b0d7513206ea39004274d4745d028a7ba9af467e7b8c4bcd0454e

SHA512
94a817c347fafdcf772b2fa51588533a2d8aad39a8f879d70070e89b44abf9c4c2d8f41e330336d014ab0327917f40738b590df7673d64462ab5b0ff4a2bf88e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMUIcIwI.bat

Filesize
4B

MD5
4a881775cc17e63b35d4c954543224f5

SHA1
7b9150d2d66c691351edfe282a83378f679d1c4c

SHA256
4a1fb89909a0d27d1f0c3b0230c39ed28eb0ba40cc5398a70f291e8bfb5770bc

SHA512
8d99de550b64f60668c8efdb775ab56581f4aa629cc00c189492e7a96d0df7a5f5de298aa35213cd8f44156804cbaf678efe39ad25b459edfd758a595ba26fea

Download Submit
C:\Users\Admin\AppData\Local\Temp\TUQgIscw.bat

Filesize
4B

MD5
8723b5c7e6862bb31a5076bddf44d4fc

SHA1
e40d4d696c76f823d7761e86f6855b6fa62a8703

SHA256
5767ce5a0f3f0bbc7862977f3c35b3be690e2d33667dd8ea6f9ba9312174ac45

SHA512
00b5bfbf21a1cdc4949605f65ce12e75723e45b3a234e05990370fbc08da6fc882ae00863599f0b136595a0d928eed6f38f64edf66acee03aaf5f8e884742e42

Download Submit
C:\Users\Admin\AppData\Local\Temp\TgcgswIA.bat

Filesize
4B

MD5
d87129da9dbd7274de3b734da6f54d55

SHA1
a33e4f9f11ed301c575a033ae513f3c12b26cb45

SHA256
7ec6cc1591701bd64195f99162536450de83849b7acce49c17a4c6856d67e689

SHA512
91daf72e505b43cd27affacb3229fe52b1ba2f79a769c3132a43c517be650d9fb0df565a2aa646da696ccd767136d98089b0ad456ea6d0d826b3486dfdaab1ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uocq.exe

Filesize
945KB

MD5
6b6fbb828a3c6a0725e81583c8ce82c6

SHA1
bf06a4ed1f82f06fb3773b385685e9cd2a24d753

SHA256
1cb2b9441607d5db2e91230f2c8a3fe19bb7989e4cd0f55d6f39b14e2dc3a7ff

SHA512
e6c627475bdf08a152467af90ad60b82164a33c7fac9b406c92d8dd688fa150103d1042de1ad696d4d5fc7ea1a3da490bcedbb0d9646b93337fc92bde5ac4703

Download Submit
C:\Users\Admin\AppData\Local\Temp\UosQ.exe

Filesize
480KB

MD5
1187ac3db4d1762f25536524614baa52

SHA1
85a91cf4ec03bb7b82ad69af63cbceb5583f6ee5

SHA256
683bcd2230b360e1857cde9fa211b0c159f8939e35cf07c75bb4b43a2e4e7dc5

SHA512
5885a3316cd9a511fc0ba417007a728f7e3bacd463f1a9aa6c1a7139ea26ed92aaee30d4ecf68e8fb7c5ee7c14b89598189fe941114ed0623ae912e1f6ed0f2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\VEsUoMwU.bat

Filesize
4B

MD5
b2f26aa1ddc8b653481e4e8b0d1fa829

SHA1
95c6eacc94d7d370b54ec1071e4048ce5a8f1e47

SHA256
c3cacbf66f842b9c5dd139d40a9c432211f5d741569589c2f50e7f682630fb07

SHA512
48531c9a5ce6665d089d9c6bfb7afb8374564b58f8843d997e6ef5eac043582125738480e067946c64bc3af1363c7ca31ccec5ae74b6d52740c8a1515ab51bb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\VQcskgkE.bat

Filesize
4B

MD5
8112376e6056bd4a5550a88c4f0161d2

SHA1
757e3f675f3a91938c2384afe54452be905cdea1

SHA256
579e14331807abab789a0b98294c3ccc89e9c3dc42f81ab5037bec1bbef69f92

SHA512
a2a115b014fc441ef2aa4da5b37eae35dfd821c092e922c1909c448d82af0edb9a91d47f3f8e358a5f93efcc7a1567f45a6bb3940c0a0e6b5e356783487a6e94

Download Submit
C:\Users\Admin\AppData\Local\Temp\VokssMkY.bat

Filesize
4B

MD5
6495a0c9183a0a800620b9db3371f922

SHA1
e008211e3c17c9918b0f351f108591abd34c0d45

SHA256
1c7bb5ac0257f03acb19659bae1c6c0c81491c7bc3be4b850cf08d04aec14898

SHA512
c0c156ea9d7cbce3d2d747a78f1e16eac8631ec78a35c6654c20cd6ecd0c8ceb1cb45f5d44d8d9e25c70758208b6fdabd94b78c96c31f4c0ed528785c5545554

Download Submit
C:\Users\Admin\AppData\Local\Temp\VqMoYIks.bat

Filesize
4B

MD5
bd22f189c29516473802589db6d3ee81

SHA1
d1260f47c43fe52b7103763882d9b256e768f259

SHA256
44a05dcd6b7d6eae2b4157bb81760132f012de66df729ff5887b411b4f8f1791

SHA512
6338f6eb8ce262126c9ed3feb1b01cff9275ef85176ec558a00bbdfacd2c59d9105a68eb320a8092b2a9377ddfc875dc26d789ec8d48c962616524ab2682d797

Download Submit
C:\Users\Admin\AppData\Local\Temp\WAAU.exe

Filesize
482KB

MD5
0290a6e3f3642e34e12ad7eaca8c116e

SHA1
cd49b3115417a1379eaf311767f4ae25d2205169

SHA256
6edc6da8cdadd5fc354f21886a83e19723682b97531c9b46290ef4358b0d9f30

SHA512
55eb970279993d08971061c5bb61c40dc1b40e2d1364ee04283e8008934d923747f48a848eec7d1c5727655f8a987b39f959c6046437a205c17d5812f793a362

Download Submit
C:\Users\Admin\AppData\Local\Temp\WMcQsAYo.bat

Filesize
4B

MD5
aa7e14352fa13c73ea8daeecaa8bea88

SHA1
3433540f63380b0c7033dc55ef10ccca78e7bc41

SHA256
70599e39c3e7f8f9f3d43443dd634db4dff50942c227b2bf6f4bf8f062a0faac

SHA512
9a976b93c3ae246ad9aea6fb1049458f62e862ff63d09636279ea6cbb7c736c8dec724e6bf30419c038d412728c2b008eeaa67827f8ea5a052c8d70dcfc31ceb

Download Submit
C:\Users\Admin\AppData\Local\Temp\WssS.exe

Filesize
482KB

MD5
50c60f4df5c1aca65951c969eb2c75ab

SHA1
5b29def5b12d848adc1dd800cc2d20aa2202af2c

SHA256
4952e253141513374f879371ca085778dac319e49a1b707cb10946fdb32df183

SHA512
f8edb8d3c385c47dea69b9de96b5917ed6f85ad364e89a0bde1e1ebfa65c4d081fedbffadc31dd3d7fb95a0d016a1b59428da63517ac7adb756fcc10239ddd80

Download Submit
C:\Users\Admin\AppData\Local\Temp\XKgQwoQM.bat

Filesize
4B

MD5
5c4846cdb27f3dc9e2f2e55e69a72378

SHA1
6c1e045f99c4f425ee6f2f5157127d86dd0bbe1f

SHA256
21b8775c74294a58d6e06d78f46fc17667f2d1269dbe4dbe900d6e1f07a39a93

SHA512
2626e21dc857dc94abc25eadaae78fb457c2775a934dde631e1403bbb534467520cbf021bd6ea642c4096442be61c46e53af8ab4d2d95e745dd96702e10ed261

Download Submit
C:\Users\Admin\AppData\Local\Temp\XKoQwQww.bat

Filesize
4B

MD5
eba5953a363220a20e9ef9771cb49819

SHA1
911ca0a632d1e1494d7af9e5ccec67c65c22cfc9

SHA256
63a6bd8b11711b8a8071231c6135effe9c823f3741454ef79a96b9023d2d738f

SHA512
dca49dd98ab03ef3218894437eda74cd20cca7023b0033cbafdd1f1d90c324c1476d3dce7551861fdf6b39fb702c65476b479d3496b60eaa0f81e1654740861c

Download Submit
C:\Users\Admin\AppData\Local\Temp\YcAm.exe

Filesize
442KB

MD5
bff07ff2cb5f3a33f9d2696a73f49370

SHA1
91545fc43ced63f7cb0cb75a7f300207908dc9f0

SHA256
da2f7d31aa59f34188c0d8465d7cb7711c2a68a3359717370e157dbd7755448a

SHA512
e4109ac23f5b947ea8caed53e145baba6e10c5c45e2b9ad367455e9af759029d6c8297c910473e979b45a5ace4e1b9bbdfe13494ba0835456b2c6c5a30e2afe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZAIM.exe

Filesize
481KB

MD5
3278a01f0c9388dd5d57feabfad50b40

SHA1
bf71d29b1d05f39917272fe420ec64faea7897da

SHA256
7e1211eb509f81ad9f92bf900f3f0265cab78102d1790ddb08fe6ecc1721f368

SHA512
e55d4dd8469aceb2728d7cfb809da241013368d1d205df73a48ed53761dc069437f0173b040505f84bee62da190131a614f2325ab12e68e35401fb084e739efb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZIUC.exe

Filesize
91KB

MD5
1d3617d29b23a630781b93a280d3ac63

SHA1
1699850e6438d102d36631d561b570ea256163b1

SHA256
9a299955ac4f37f92c58916946b548da2b10b4646b5ef04e639a47137a2440c1

SHA512
226d97f6edc3c09fc99257246120e603a9f5857c7333e7234bedfa981ac4e8a8468715d66e44be9ebed852e515a799778b15055228dd060a9a6ad2e63c9e93d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZYQc.exe

Filesize
480KB

MD5
ca62eaf33ba3ec5a78d5826cb5915a12

SHA1
5e9634cd358efaa4627d7a0220e1bc24920b76b2

SHA256
0ae3b3ba146d0c59b05f52688948b887fdd149b338af7f1ee9b12564aed15ae7

SHA512
92103c4632b13991b16d2d369076ca1c5e216a6ac5b1f7edb1fa44f9853f663702641e22a304cd08a15d3d92fd082c02f0ab9013024f2efc452ee0c3be9380bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZYUW.exe

Filesize
482KB

MD5
f6f488cefedca96c85a25633f6302c7b

SHA1
d86cbf5671fcc99bd9633cbde1024e1728c122b9

SHA256
d156f5d29ce013092ced6fff29c40bf74260fb881f87b4ddde321507b5e1909a

SHA512
4e739b05d54f1784fcb74725abf888396af0f9f96a5527eb41db6ffc131c24412e35db6babecc75f9e2669468bae539dfbae8e3f2aeb4ebf326e86ed39671889

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQkwskII.bat

Filesize
4B

MD5
cb4a33d688cca6eacf980607c66d9550

SHA1
54a5a2d9a60960e041cbc87442e5875c364fb15e

SHA256
03e83798b72bf3d5580054fdb864e033dee05c6b736cbd64793178166d8e62d3

SHA512
d9a12fd9cd37d6d6dea6da22816b956511c0f8b6bbb53fd7bb23803779202cbf9914ccbf0d05e08a34508e2806be7cf20893b4f10969bed42d4873db1973523e

Download Submit
C:\Users\Admin\AppData\Local\Temp\bSQocsMw.bat

Filesize
4B

MD5
eb6c5d24cb3d1e1ae94bf8b2736984e9

SHA1
c501f90a573159344fca839265540805c5fa8ade

SHA256
130a24c75ad77fc2d65cf8baf469ab54ba8b8e355693130ab3e7576dc64a7110

SHA512
12fce5123518749824581120ef6c847a50ecb76ee2bbd39150bd406ec507df3c74df222dfcbd382ce2f386f5f881d2938307ac1c27a3cbe48a7b17b0da745f26

Download Submit
C:\Users\Admin\AppData\Local\Temp\beQA.ico

Filesize
4KB

MD5
f461866875e8a7fc5c0e5bcdb48c67f6

SHA1
c6831938e249f1edaa968321f00141e6d791ca56

SHA256
0b3ebd04101a5bda41f07652c3d7a4f9370a4d64c88f5de4c57909c38d30a4f7

SHA512
d4c70562238d3c95100fec69a538ddf6dd43a73a959aa07f97b151baf888eac0917236ac0a9b046dba5395516acc1ce9e777bc2c173cb1d08ed79c6663404e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\bwEksMsU.bat

Filesize
4B

MD5
88123980e314ee2c13d8b230cbd05d68

SHA1
d7d554849832db55189f4031bb5e68b9195bddd9

SHA256
554cc59c204daeb5b57eae8a17602efb7cf0e9271fe388b21727a24af97edc92

SHA512
2e2b1dfd145bd6f0646f0b226d7e3b76b7b482d88b688c128e0ad9fed33f0cff124a6043021269970dcf5a58c292ba9774be84ed1095158ded3223f2d488da70

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmEwAwsE.bat

Filesize
4B

MD5
a2db06c799c239adc8c8088382a5ff3e

SHA1
804b9041df353c7c56e8fc77649d2bdb36e0da95

SHA256
307a16535f88d161c871543f23586cf07eb8b227d9501d4ed1a860f3df846d11

SHA512
5208284d72125c412da38f37931bd097fa0808b8e562546eb47f28d30fd811cfb80c4af5ce17f1a7c292a9a85ae94dd657c186bbaad48c2a6239a3ab80c91586

Download Submit
C:\Users\Admin\AppData\Local\Temp\cuYockAg.bat

Filesize
4B

MD5
5bb7e6b8116d7ffbc2b519e7ef313efb

SHA1
5ff5bccd80e19cca77480d0b94cbb0c23fa63630

SHA256
d02fecbb59dc46f265729a01b0cb0447b5344f6fe73b0a88718c604ac1d73b9e

SHA512
f4f3f553569406a24ceb24505176a358a237173447311f3daadac2e172253b9ee9cd99204a2d187c043f0326e7bc172dac6b0a41115914e34aaa34bfb54ed68a

Download Submit
C:\Users\Admin\AppData\Local\Temp\dAEUUEsY.bat

Filesize
4B

MD5
1285ec534c963205a991a8c9d2a709b8

SHA1
8a74b7c11db0dce6834f69d154469abc3e921420

SHA256
792b24ce2aa0cdf81f64fd1cad9485dc83e85652eab52b0e1192eea5fb8d3e5b

SHA512
01f698a640975ec128368a0edd67ae909bdeb166f3ff3d6b23b978b1cd4c4849854812d89c237214a2f7b0678f53237825f02b568c85cf8d0bd867d048e60afb

Download Submit
C:\Users\Admin\AppData\Local\Temp\dOcwssUU.bat

Filesize
4B

MD5
55e32e5d042e72115105717a5f36e020

SHA1
e1db0edd58d520a40a43773322e47fa6b7ef57e6

SHA256
4bd75ea2e8510797a530ff6032664b747711c059ba684ef81533f1e2e787489b

SHA512
d0ebb35f88eed677230d9bf53b6d9c129335dddd379030e5a2d8e64ff86fabd535d9c16d02dece687cbb696d101b56a7057c4dd28ef6bd7e8d4b56dd83b4eefe

Download Submit
C:\Users\Admin\AppData\Local\Temp\dQMs.exe

Filesize
481KB

MD5
61672d4bad9cf5a6c0fea914cc76f4ec

SHA1
a26d5dc004c205173f9537bd8567ca913486c484

SHA256
9f6cec28f2843520277741cf95d0a50dc1df4597a47cf55d8c04314235fd4f53

SHA512
028b845bdadcc8e01eff6d56e78bd627dfc255551dabf21a0be37b2b66c6a581ebe9d25e5676db0b1200a0b2be7582937d62db3855953432118be27f20c91be1

Download Submit
C:\Users\Admin\AppData\Local\Temp\dwMkEsYw.bat

Filesize
4B

MD5
663237ad6d7afa83d1114633ba261998

SHA1
87ebca39436091833c0142189adc7ea413f52606

SHA256
b4007f9552bc09c8525e86f6373b46f44a3d7e8f8c72ccec64ffb02ad3bffb36

SHA512
41502cfaec459c7bbfc45ee1bcda0bebdb0ce54116a9c341f278e11611034ba65dd5e09608336c998a34ce244512077537cac55dfa0be44c97935c6fb096785f

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIEgYQEQ.bat

Filesize
4B

MD5
22917fcf4408be12503c96cc31405b7a

SHA1
cc2d1c166ad6911d330f33cbcba59406e38481f0

SHA256
a6292b153d91284e85dd960e5e431d8a2ec604ac4250aaff893a82f4353e1ca0

SHA512
e73fc46b1a0afa11d7e13526190a3d412ddbd539a836a32251ce721696044427d5eed08bce33123933f153f190db69b8fe63baa3ae68352284b3f6b117f75af2

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIMEcckk.bat

Filesize
4B

MD5
66d6cafe62de9967dc39929b471a7a45

SHA1
3c21f256ed668183d5b861c9c6d5e65d0699edef

SHA256
79fab720aa92460a36b8ad2192fc06b324137de19db5bda60380d4b9e988966c

SHA512
283b6bcc7cec9e956bbc63b33d3cf9663beea2e65666fb3da50a19ad490aaad0b27bfd0c709af4e87126e8fc84e3e33c6016ea8b97912b8719ee4e81bd4a7539

Download Submit
C:\Users\Admin\AppData\Local\Temp\eMgG.exe

Filesize
481KB

MD5
473a66428e08d47446983f022bd3ccc0

SHA1
6967284c7c3eecb150d07884982f9b1aecc09ae3

SHA256
a62ac3df30da08e4a1ba8a1d332b6d263c8dfa392cbbe1a65a69bf2da0bcc5b4

SHA512
96d60e6c4cd2843f02d7595e6d226091bfb49780760609c727309d3ce543cbe520d061656a2c11e03f7a3ef5916cbc9924fa037178882d6f70882baeb9a81944

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecoO.exe

Filesize
482KB

MD5
d9b4add52272282588f519c4cc6feebf

SHA1
d4a2b2f343cf85d0d50170e77ea152493e280fb6

SHA256
6f7c08fcf2c68a5138ec9c0c2cdf089c4f40cbf83d3f9e6995ce9ca27d96beaa

SHA512
3c9e59f6aff90dce753ba4e3e3d44f4d0d042d4d516828a5fe40934cd6a9e2926d9ee6ddf0080a42874676fe9d2aa1b10af8ecf0c4c5566dcbe37566aaf7cea7

Download Submit
C:\Users\Admin\AppData\Local\Temp\egQq.exe

Filesize
1.0MB

MD5
19e2ea337d5c490b497fa33b9de38f97

SHA1
9d72b2ea655defe86a4d8a4b2e6f7395cd0e5148

SHA256
2276d9edea215afd709b04057e0660efb8ff61286a48fdf627540d9e0ee2c167

SHA512
1d966a455573f23bb44ad65e0c0afce54d27047ecd9f545a3417c06a5a1723ff4d96bf4dfc7fe7e951c57e751693814929b2c1cf492688da8a8b720c7ce30334

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gEAosoMA.bat

Filesize
4B

MD5
99c3081f02d18ea9c6e6267cc17c30ea

SHA1
952a76a2fcccb282d3f5146c1b7fcaffbf349abb

SHA256
15711931f8eb22efe704f21c43f60ef4f88f9c7aedad8aefcf0761a02d6249fd

SHA512
5bec51d2995de277261c4f058ae91b9d10d057c384b36ae10b0af1ac7bab260c8e77b19ae3cc69f0426731f347fdb93c6756261a34069faacf75bf4964c97c65

Download Submit
C:\Users\Admin\AppData\Local\Temp\gGIkkoUU.bat

Filesize
4B

MD5
7187ed09d05ae6dfc51205de1265fa2f

SHA1
5669ac5f8f12d46b157c33ff43fb63651eac6163

SHA256
7d499b92bafd20f7d469ff1c61527dd1089d53724d7e89a890b991a95c891f5c

SHA512
88522bc1d37deb96d5ba5f3befdc3da26efb290ecac4082dbd01c5444ec80468bef03d545cf17375f677863cbce12d0925f7dff4c206a916c0b05b5105a1823b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYAe.exe

Filesize
478KB

MD5
0cb4dccfeebf6566709a00bb68c071f9

SHA1
32e204b7fce59924c168fe596f1be52a4a57bde2

SHA256
e801881e9278da65e160f415ced384d12a3eb714e790e71a14457114e5c1a491

SHA512
6d7170f8e86db9ccea2e8e02fe9a72c9f05609a667d84d05b058f75121a35f7f906cdd651879a4bbae177fb7c0f519e8761a0f4e3e45b61a32b8395928765366

Download Submit
C:\Users\Admin\AppData\Local\Temp\gowG.exe

Filesize
479KB

MD5
1d84cb8f7481e076693e810cdb53d202

SHA1
5b197e4f4d0941c453d9c18b4214209de8118245

SHA256
7bbb331c0ccf868b61c4f93ba45a4a6842125c9d53a8ca031e79ac7ec8e9a8cd

SHA512
41d1056dbb1de718e90674499c3ce4d47d1d3dbd64fbc9754f2cca78280d863a1231e9e3e51cd13b9fe0c2fb97ef8ad1449be94cc35ea0d36206c1de23081d6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gsgM.exe

Filesize
478KB

MD5
e48aec33da65a28ac8b01e4e46bb307b

SHA1
e68db32ed40ac873b23d61baf92811f8b6b562be

SHA256
7619d0916a789b8d7b7959332b8b494512d67a3e131160137f1a3665bcc91e83

SHA512
6b7d8622978779d9cb15913ccdc68e6726ce130109cff6141460f0096c5f7ae92dc526f36b704ce634b544b076fbc94d5c6456d5143ebd9346e11440c6632129

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsAI.exe

Filesize
1.9MB

MD5
53081a5b7058c9adb9c1b338dfb53e6c

SHA1
6e83aedfc2e55049281b93781c48c7b5ee12dafc

SHA256
6c01507e4c0fcdbbc74de798087b04823e86f5bdacc6c3cb37bef7ad91a367fe

SHA512
40b4f72e71532ba035a63d33604417629e00c463a39d7ede54ec94286dd4a995e76cf969b027a2288546401bed4d33a6455c062eddb1fd9e14e921b30d10d6e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\hugQIokE.bat

Filesize
4B

MD5
d14c3ae8d8edd081de8fc715a9b75ee1

SHA1
4f2e728c96d53b71529515acd558e408cd482644

SHA256
dcc5a1da925b95c44f181a362ac07822f7dc2e5485710073b6c14d1c8c4b10c3

SHA512
8aab8c89337cac0f7d4bd477535a34b2b140f72312b30743c4c3d0238812d63fd38255581c6079804596f53ffd61812c9240c6ad9ef111104c4d00f30cbf0d37

Download Submit
C:\Users\Admin\AppData\Local\Temp\iUgM.exe

Filesize
481KB

MD5
9f14cf2092a901b5e40342a59f03c2dd

SHA1
611fa836f8e983d1920e68633a05bfc6908baac8

SHA256
ff77397d7dca8e0034ef6aeb65d841bf5c7a180c1821a59800fc45c8dc222329

SHA512
e2b6778680864a60e72d986a7b87e1677d0671ad678ccba27bc5c338fa7bef49ac68208ba29e4dc83ed42a2c68d95a7e36aedd1d28e05a6e44e5f5b22b9fc5bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\iaEEEYEw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikEa.exe

Filesize
485KB

MD5
81d9649d94f4f738c85312585c9aab44

SHA1
4411319016e96df74e77e27e1466f0ba5d5365a9

SHA256
6bbbecd90e7f549c3d19ac992b436f8cad7bfe355c7fd201eb45e3e49223dca7

SHA512
ef4a4701a081e94352c6864e81e2d49a6d44f2b9502e652934d50f7bb02e29680113748edb475c602e0f57b00025d23b6853752f0043924efe8a46ff939c42c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\iqQQIAIQ.bat

Filesize
4B

MD5
7dddb0709c439895afb2065af6ff3559

SHA1
7ed81cf8c8950fcb13c8f57f7130a0aae26bc88c

SHA256
0a8ca4fc43b648f142b5190f60cac1ddb91a9e4bd158d26a9437407b30638f6d

SHA512
18966efb602d98fdbaea05f9f1b96b4b41298ff57b7aea0adfe87619043777821f39017e7c7363e5711b5a307ad275dacd3ba1180853a600bffecd0a1bf1a4de

Download Submit
C:\Users\Admin\AppData\Local\Temp\iqwcIEww.bat

Filesize
4B

MD5
0a483ea6a617f740f587655bbb673e7b

SHA1
cf71e0a5614743e4847df2a46a0bf27f411b4dd1

SHA256
bec9ee4c02f0755e0ed1a1fbbc4ea9183549531eb3c4f3e8b5fe7dc9a2d8235f

SHA512
2eed398e8b6942b652d0719bd55d0ef4d795629b8c1be8575b8bf9ac0ce65a40344ba5406ff3e210b037d139b5637edebadc7c02b44d03db95c5449c2f106fbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\jKwIkwII.bat

Filesize
4B

MD5
89cc9ce3b00a899cc26d38ba6168f55b

SHA1
cec42e70224c78b7cc304290b95d79cce16c01ac

SHA256
516e44000ed2e0e46f7add4edc3f0c752d2e41142c7634feaffef0d18a6ad677

SHA512
2a2387fecfa18a23df4cfd7431c88c64009b2aba559eb27247b9fe7c95646ff57006a5527222a28dd7e0ce98d61820e8137fa4b105bf56a3574f82054a24428e

Download Submit
C:\Users\Admin\AppData\Local\Temp\lAIs.exe

Filesize
482KB

MD5
c17a3583848e4b2df4912984b1967cc9

SHA1
a97abe3fa92256a733305f69160010554f4bfb87

SHA256
8028bb605daef93efd08525b12e4238e81462d893992419786200015c8862775

SHA512
19d76c988f510bc915ff57e8631223ea61b41a90e333b31488144073e8517b2525b3d87d5f81836d17411c3b98bb739de52d5e166db774e7383d4509c4f9a5e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\lcIq.exe

Filesize
481KB

MD5
ff19d5abe030319b3994132cb036d204

SHA1
969592044a65eaa3744b99d97f13fad59a550f3b

SHA256
d62899f2c3d789e8b0590c891b8d0c64dda8a831f93b401b66613ee399d4334c

SHA512
06f2eaf2407d105c30c0c217104a3bcaf39e33ec05d8295b88ba06f98ce5e4e504baec702136fb52690ec4027862ebc87a03b7827d82d93567e21cab17172bad

Download Submit
C:\Users\Admin\AppData\Local\Temp\lccgcwsI.bat

Filesize
4B

MD5
7f5edce22e1624adc5bf9935a7f71fc7

SHA1
bf95fd4cd226d44c8714b5a8e1a4136521235a86

SHA256
d8d7144dabb9bbb6d0bbd874cf2f2b0a00c0148236ee8340937779f1255f0f40

SHA512
0a2776b374c5861da5429ef1f6773acef954739906e504aadfff4da723f4406ec7475c18d5413c277eb4b15b7b8330e50d19b666f112794a60f69bb1a934162a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkwU.exe

Filesize
483KB

MD5
038caadd53461b82210e3b2110a5a915

SHA1
c0ccf64b9a2e55e46755c5aaead1535143f4ccee

SHA256
c7a6165e4cfcb910f38f4dd698f7b8163276cd7f311ee61014c390472a28e09f

SHA512
c599659994c9c84f74bc98a1a4244da5d84efda7ecb6dcaaec45c73cdd6ba569700e12c828a0e2d7016c8942bd5565792e54fabaf9ab63d96d15134140cf87c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nAwa.exe

Filesize
483KB

MD5
a328f6aec0d832ee0c8d9e6fc039a146

SHA1
feaae4685806d0c77d30bd521dcf353f6f065a4a

SHA256
b5a2f64f2c7dcb6a997b845c0a4b203d22a3520913ff6e93ef69179a8aa8400c

SHA512
0f0d47a683f0a80f97ddd6d2a0cda7a72689a0c9f34aa268c19e5f242bd6056bbb7c093e72edb54d9c0489ad4d8445ce1d89bd7229447aa80daf2b33bf5417e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nEQU.ico

Filesize
4KB

MD5
8e03abdaa3016247fdd755b7130384bc

SHA1
08dd2d9541e1961b06957fe9a19ce83aeff51a5d

SHA256
42b58cb0928fd8fa0e0bfb129fae9cfc3b7d3230c2c9c367f0a17c4d0039aef8

SHA512
e282ec1c768aee026682d4c6a8e71d643ac4d7dcfec027536944c658d71b7c484aab2da6990c324d9677d032a86c1015020efcd92c9923dcc21e4e5ce5b0e26f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nEUQQoYU.bat

Filesize
4B

MD5
f2058de1583fbeaf0cb674f76d74f784

SHA1
f7df78fdc37984d1a46070733412f7a5acf18549

SHA256
53d54804bc0827113e89757ebb8038fac9c5a8f0cd4ed988cfd1ec099beaf43d

SHA512
8048ab95a5a964fce7f02ebabe1f5c18d46947eb949ecfcb538d82b8cdef94bb89c1eee015f13b1b15de7ba119bee494137a93fc135d61a4299dde51c2492922

Download Submit
C:\Users\Admin\AppData\Local\Temp\nMoYcMwI.bat

Filesize
4B

MD5
28466b53e537c29c9ee8451e57f1dd36

SHA1
b1571c9affb5092f66cc210144b7bda38b2dc151

SHA256
9eeb02566a5a3777acd1af8670979fecace7a413683077b79ac73689fb564693

SHA512
2b7ce52fe01a2d002abfebda40332e12726601e0c6a2fe122ed2dc8a827e50c75d8ce8d90e0716b766facfe95f4d4b3a7d816efbc68704875478ee2597b324e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nSYwQgkk.bat

Filesize
4B

MD5
cf8a5a1918dabf6831e19ea92c4aaa28

SHA1
866bf6dc9a00cbacf41fcdb094fe12cc9641a23f

SHA256
6259f6ffa4c23958a0e0d1cdcff218098aefe76b967856d91257e3920f5750ae

SHA512
1fecb80a74f7082d6a3ddca172fe2b2f5aaf9d95068f90b43d84441ab4901370693aa8e0bbdfba06c45408c8f2c7f81527ba5b7205fde18f4b3123a4b7f1e7bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nYYK.exe

Filesize
480KB

MD5
cc6e94d382c1afde961b302d5bcc1441

SHA1
bff073d73ffd120c599c4734c87056059ee95fb2

SHA256
cff06a09ba7e1c70fb5b38c6d56d0f53b686981d540ee3acdc5fae9ca70a9c7f

SHA512
73a2224e9cb272f882229a9f40a0a6089abd534816ab948b3e1a99506a1118f06f9daa057acc39870a8ffefe4fdc9750b362e1bf6e1b1b9bb1f191481a8a5f13

Download Submit
C:\Users\Admin\AppData\Local\Temp\ngEs.exe

Filesize
483KB

MD5
e510a83017b04221ba4a938afc73e98a

SHA1
14e0ee4c2039b426727c7868895f07468754142a

SHA256
21519d784525fd9ed98068d7fe28bb9a7bcc96916c65c259df2024402f19fa1e

SHA512
e6290d2c56fc06fe57b53353f11767c3f4848fcbd1b03c963cb0da0ba0301cd54d68aa56c6634c715f8123c33a42ec5f41ce32fd2f20acda3c6cebecd3fbe830

Download Submit
C:\Users\Admin\AppData\Local\Temp\ngkMwQMQ.bat

Filesize
4B

MD5
22e5c4e96c1a3bb042edae18df8d06bc

SHA1
b0d858476ff5b961f5334668c3c480351fb9aaca

SHA256
8cb54bca467a487f3bb000bcaad52c7165eefc0a5786f4e30eaa6131fe191b0c

SHA512
64c2d079d5229a9f3e2c119dbe5a150107cf9ee3341135ac0810b4013d4f26dafec5593337a051e1dcb907f53e9b0a4715e6745ac2e5a4b7f31174eed510828e

Download Submit
C:\Users\Admin\AppData\Local\Temp\oQgG.exe

Filesize
3.4MB

MD5
e55f4e7b8052a01eab16b7607871c2ca

SHA1
c74a7198ef63b2a8622ff5d7d06b30bcc594f85b

SHA256
8682c84d144423fd2f88f29f1863ed3089e66c313e37b5319838f4afc5cd6a81

SHA512
0e5f3bcd38453e30199afa99c861afe1c6364c9e977271cc35717613285cac73d33d6c58a92a4bf3ed325cebf26fba781b65212528c6f491b92c222dfb4349e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\pQoYQQgA.bat

Filesize
4B

MD5
3cec4a6a7d184c3af136149741f541cd

SHA1
c2a4b5305d80f3f1202721fe5dc5e978c4bdc5ec

SHA256
697a0801f6776785d8cf3821923a9d06ea57d0bd018255d097a238c68f14d333

SHA512
02851c9d6c9132454f2f54d02f0a65ea6fae5b4f2afac51a916caa94999fe3f1a7d780255c8746fcde4e314d36bff82b46f6c49b0722ebbab4fa4995581ea118

Download Submit
C:\Users\Admin\AppData\Local\Temp\pUko.exe

Filesize
1.3MB

MD5
f5e2aafdf0eac06bea285ec10f4359f2

SHA1
498331987232f81a00feef1fe6bc40c93590ebaa

SHA256
09dc4a9abc7accfcde9b784ae51baabcafeb64ff46ebfe024254cd60e43f9fcf

SHA512
afd95beb69b487dc7b3e6ddaae3e273e5e193e06f8d990c15ebc2c224541eec3a722be1b975e9e3633f24977c489487a6ae3b699c8a7098f5b435bda4b5e1e6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pYQK.exe

Filesize
481KB

MD5
16e12bd50fa8c526b0664123cc40fe7a

SHA1
6441274609cafa185f9abfccfb7a0c6c5e60e9ff

SHA256
7de6a7963b7908179703342a4f3d4b5fdbba2ea060a816f1e9930cd70266aad6

SHA512
477881b5837fbcf527f68227640f80624ea317e2c755e0f9e59dddecc31aae4e17cabc4120b2e075782c035ccbadfa34f4ad9410faa7a3fd3784e0993d5458e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcEw.exe

Filesize
488KB

MD5
ac1e881070cdb42cf5c54efc8ec4a82c

SHA1
c1482edf39a86a4d8983472acbf4b72eb865161f

SHA256
7168d8baa9c33ed41bc7348400337e8d06e71e8d4a8bc1006828288526ea9726

SHA512
454cf02fc8d74f9c5bc6f65d4c8bc108784b7258f3611a1195f88015d42cdc545675d5781c27b9c140db2db69358d69f30dfe2ebe0f0793326700d6f1571f142

Download Submit
C:\Users\Admin\AppData\Local\Temp\qAAY.exe

Filesize
480KB

MD5
62422a3cd636de62828e285495e0acb9

SHA1
0c186967d8ec77384eb67cc84d9d3406c219d858

SHA256
c6908217a1dd6962c3898ba82c7d884e1256b97cc7dce991dfc6f0e350943b12

SHA512
41a3f4ad47d7144a57cccb54bcaf053561b4c71402374e060df357fafa44fbbea51cc0f9a8ae4c9841099a94ff2d1dd76dee9ddc34c70e8a3301f50254fd55d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\rUoQMEco.bat

Filesize
4B

MD5
d698b067e40dfd10c145490aa81ebc7b

SHA1
a7492c32fd1e26300e4f2cbb4ad9b7f76916b438

SHA256
209614082592c1cfb5191dc6901b1dcf7caa6f98fb652c7773dcf9e8a645da82

SHA512
9d844eebb8d729f368b8ee2ed04c81c273732debe6adeff42bfda803e17aabfbdeafcc4af15f0b67d12cf3e4310bb47f80440257364fb20c29578654843eea0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\rYAkoUck.bat

Filesize
4B

MD5
75afda7cedb5894a5f33a0cffa923398

SHA1
706243f8649a91a3c9e0c373678d035772a72c8c

SHA256
693f81b0a0dab479f1b7bfc9a57c8bcdd1e4016d2f78ee52d5c3b3cb1ad6bb60

SHA512
6706d1288422ad521fe6d14b74c2d176d19fe9e0f3668a8e35dfadda408b15bd7cc6849417bd4f7f80b14e621f37fadeecea92b5d66273159f62d95faddbe917

Download Submit
C:\Users\Admin\AppData\Local\Temp\sAku.exe

Filesize
478KB

MD5
a303bfc8d9d7b749285d06470bde433c

SHA1
6fd6ae3e5b846aa5b0b41070871ecf5b031f075f

SHA256
535e26f315b6a239b1b24eeb530021ca0931333221606601885c26e1c34ec36f

SHA512
9cc9fb1d441d766d7b63a110bde6d7612b042cf5d360e72adf26d892dc89fbfcc32baefcc723c629c6e1aee754971484fec1a3d07872113d0a0da2109329401a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sEUI.exe

Filesize
484KB

MD5
9786b4bbcef58a5040bcf893866423ab

SHA1
f5d23d585e3513a39600c816b587aa0d2c9c0fc2

SHA256
cb425186bcbfcf6e8ae4712821bae59c68b35b0a5d063ab68d0a082d3cbdbd21

SHA512
c6db5b967a468fdc723affb6a8a1f16d8a6ec91ac99a90682f2252525d4bcbd8a1f778ad78f282bf2ca2a70ca204d90bbd36f6266cf0ce355f7a31794fefce9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQAK.exe

Filesize
463KB

MD5
369ecf748969853756473319d5b6c428

SHA1
30e4419ea764ed842a3b8c513fc4d6d3bccd26cf

SHA256
dc0413d2e74e42160e22a6098adf3ce7c2566b0ebd166626b0d8be1dd6be221b

SHA512
b388c3a5448ca3d5761d5cae75f87240a492cbda497f8176046bd4cc62efb2a9513fed560d54b0060104779d5fcb3aeaf0175dcf0d83eb0d9045f821bb5b8d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\sgYw.exe

Filesize
481KB

MD5
46f2eaf31cec3385ddb6f8ac708f88fc

SHA1
b5656ac46e6e01e47c3b955a5c72ab74b77b5da9

SHA256
072a8213efb76d4e355b95615fbe1d0446b4e959822f4eaf17287366e613717a

SHA512
c1717f44e34b5f6bc3259749c6e163aa1a28bca6b0f60cc2a6b10175b0ca2d9de6bdb11cdede47397eeaedc52d76be9fc24046711f223cde389929e43ebbe614

Download Submit
C:\Users\Admin\AppData\Local\Temp\tMwwQckw.bat

Filesize
4B

MD5
10993cb17e9000b003fb488527c6789c

SHA1
7db7b18fe57b6d70aec863e94243fb5ec137a9d9

SHA256
248139308938432138e144e247635e28b2bbed1fe5a6a7a92b9ef4f201280bfb

SHA512
13604da50b8d20ff0730a2f370db1aaafee371d19362562220e5ecaf9fd8541d4bb918d68e3225cef2ccd623a31be50e11cb9892db17861db5fae49bd7413b81

Download Submit
C:\Users\Admin\AppData\Local\Temp\tgEa.exe

Filesize
477KB

MD5
80dc9912a11c58cb1a063d19d778b862

SHA1
9b3d79fb5e470321c8a355782d66c336bd9f1dea

SHA256
9fcb2b49ef912cb80563c386fb60b6b5f9885be5432b3b1ed4743a25eae0247a

SHA512
a364e2ce1a9f5fcaeffa255bb89e0cb7cdb35c6d817738c4c190b30629efe4f82ef20da1b1e60f4bba9878be34bb62f50f0a31d016d4dae70d32f1ecde1d2526

Download Submit
C:\Users\Admin\AppData\Local\Temp\tgUc.exe

Filesize
447KB

MD5
4c906d3d070471063fbd0bfa3a3cc960

SHA1
aa2f9535fe13e095e6f63a12dbbe0044c6927081

SHA256
71f6ef4299f6b853a10cc2c7e7054aedef6405ed9f643f87a657fb6d14befa54

SHA512
9ed6514138c803eec81d91c8df747c8e1d6aabe5b3c2e8d1eeb50c541250389221eaa43f8735031ed6403a04583be3d263d27f085fb660f8aa37fef913e35747

Download Submit
C:\Users\Admin\AppData\Local\Temp\uUccwAUc.bat

Filesize
4B

MD5
2d16daae2d522765d8c24d20cb1afc7d

SHA1
c218c16848e6125600b14387deb0d422780f8ea7

SHA256
37669b7a53d0ac785ce67c2b05ae1812879fb59c7e4fd1b8442325c318d95436

SHA512
f621eaca28580b8c16b63267d2aa36d4fa5fe7a864d3b2cbb68ba894d16df736a1a6c99855e454e23d47f71f8b0fb6cb0124a410687cefa427e6afe5457e099e

Download Submit
C:\Users\Admin\AppData\Local\Temp\uWQoUswY.bat

Filesize
4B

MD5
9e5fd97abc291caa8cd31c04db6bbf6a

SHA1
b8c1383e06522f99e60994e3f9f7ae29bec9be5f

SHA256
8780467b331c7ed38ba7ea5c59b9dfaa904a511c55fa41d27cadf45bfc9e4439

SHA512
31c1c42e92c1586e54b07a217a6e85f56593b9abb97d672b63d89cb01cc91ae37517ddae136a709ec2bf5bacead02ee941b08cdd17666423a79daef95ba99c57

Download Submit
C:\Users\Admin\AppData\Local\Temp\vEAQ.exe

Filesize
483KB

MD5
ecc69dbbe337718cfe80a94a5c2b5eca

SHA1
812e0a4cdfcd273ac86a4205ae1d1cc5f63ce4fa

SHA256
2a8d86dd011d775bdff30de0c41d63d8592cd16cd2b559f88d1b94d58f6ac165

SHA512
c0cabcfaaee33d7086721308f70ade478193b84379accb4ce67fc2301b354f8ee277756b7d862ecc5288477eed5d1af7ea76a77c9d35f937b430135ba3dd0790

Download Submit
C:\Users\Admin\AppData\Local\Temp\vQcQAcks.bat

Filesize
4B

MD5
3af131230932f294c65f5a8a0dd969df

SHA1
5864d71ecebee0b8b1d2102f8788840d7796c7bc

SHA256
693cab417aa1f4d955bcf3bccd85e7713b4b824f8ff7d8c13617bcd0be31a600

SHA512
dce20473f485ba7a709a3dfa4d7291bbc33742be21f12d987fe8493ce1b5ab021fd370f95553826ef905e20e95b27097bf769eb92fa4acba319200e8f3b8dde2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vQwy.exe

Filesize
478KB

MD5
26b93e6887af9aeb26d76044693552d4

SHA1
78f038a8fabe6e81b57b9066e7758389ac189228

SHA256
f8c3e49e13bd726cb91f77267c262be216ee0460b5a6a250225043ad828a1eb6

SHA512
f47ff6b344942b81af2bcc9926bd68bb729d102d1265bb100e09b3857d5614748ae77a09fd87969b035e52d14ab4fa9b53ff26541ec96d2dd6e434e8ac4a5257

Download Submit
C:\Users\Admin\AppData\Local\Temp\vwAm.exe

Filesize
483KB

MD5
a925c8ba5707c8ad3f8310ce684ea876

SHA1
a16b4d37f7aa46e4b706f1b3aeb855c6b2acde64

SHA256
346d98140640a231a316f7f9e967cb36cdd040eac5e854ce74627bfc61f3c4e3

SHA512
c18641e2613a13d5d8b056496b8e97e84108839558c3e46744adda71e0e5f18e5e2e14ed01f0ca0c106dcfdce620388a04f1f12328733510217a07887aeb4bfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\vwQU.exe

Filesize
890KB

MD5
7efe3567c47a675ad2048b0220752489

SHA1
1cbf0e013b3acfb4938d1ec797747b73ad4fe010

SHA256
5802e166c5d1c7a1ca1d0f94e33c7ee641fea5900662c82a6eaf9548045e424f

SHA512
bd3067e85e327245932d12ccd3124e49391acb587ded7c99ad98a3b5beb91785cff0dd35cab7c61e0949aa1f87841e255a0e5d301392adad0fb54e55eada9294

Download Submit
C:\Users\Admin\AppData\Local\Temp\wIsk.exe

Filesize
442KB

MD5
c311056fa9ec759fca04bf0ed33c1c14

SHA1
6fd14a137f71b157fd0b94e0cc1c140387991f98

SHA256
9a5b58d7e2712ef2183e2ec6c77e37b6bc807a310b81c5ddcfc0317c3f2a8c67

SHA512
a4aaad69758b52bee2bb6e5b042de42df668cf662783eaa16a5ea88d67e80d4407cc2f0b0d7dbd9a941dadc99eb8034ff8bf1627cc7bf3a9b87af8bc2eab1e81

Download Submit
C:\Users\Admin\AppData\Local\Temp\wQEoEwsk.bat

Filesize
4B

MD5
4ea1391e94a4f3dad0b1ae1d5a737499

SHA1
206453219c9a30e05dc5b6f2aadb0bfeefe82389

SHA256
2027d17034d68a861865133a609e035e2a4c1044b8033568bd58d7059844855d

SHA512
45b5a968562f4cb68cc56c0f11310ee4334d4d3fc1c8d08ff0bdc86a9a50c644f03d2217d2f86ab95111a6b88b0c0bdcc8bd5a62d4aa6124cbf3c64c6342456f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYcq.exe

Filesize
482KB

MD5
4d529cb3c9e1093d66ea48539f344682

SHA1
586dd4b6c122c13f7c1cf92e62f19673b81f2e11

SHA256
5ed5d621d632d7899ea7b826d72917a8a264eed44e9a1e1c0d0bdbea1e059fcb

SHA512
973876eebb2d37a127700bfa7dcebd1144cb357fe7a751e7a9e92111c9c02bdfd8bb55d12fe964244ae9011a3ff1de63e3dc7ddf5955e5ccccd66ac3bfe21e57

Download Submit
C:\Users\Admin\AppData\Local\Temp\xKEkoQsw.bat

Filesize
4B

MD5
595648218fbf2fe0d6aadf433852cc3b

SHA1
900c5391233f906ae4d56635cee4b53f24e32888

SHA256
621f5deda020a9d607c5348c5cb7db4d4563111ad1ead001b089c7e124447ecf

SHA512
3543159cd3635274064f357eb46a48774137b26489b2c6cce11d6d1b828eab8f2236ba27ea2a63adaeabe41286f52fb7c0fcfcc720a7cfb99f0fb2c8a4834079

Download Submit
C:\Users\Admin\AppData\Local\Temp\yAsm.exe

Filesize
483KB

MD5
75a6cb5818c4b1d5994f606c2f08ec55

SHA1
688c73387438fc56c43ee69092217a1fed8cf0e4

SHA256
15d2afb8a1e0b167d636a9bed381edb69de5f933d0bdec7e370c1e44952d8923

SHA512
2df00984768e42fd50f1b0d328fd66f5803250f4d7a4c245fb926211f687918fb6a342ced3b1e03bfb92001651da6f4a84804778b98c675391e0ded8160b21e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\zEwS.exe

Filesize
917KB

MD5
b78d02772952a429a27323f0a8c7030f

SHA1
82f6859dbabaf13cd277a521314b8869147ebc48

SHA256
bb068a0298a6fdae1f235b5a8161645113ddbaa1c47b9c2dafee0a3520b8ce90

SHA512
88df3f4140a661250aa804363dca76ca2d28a34cc1be0b7b884cc7f19e450ccf5a2d68189315ca56b39fa494af5ed99fb4efaef89727179dbfee103ec43cfeff

Download Submit
C:\Users\Admin\AppData\Local\Temp\zcEo.exe

Filesize
482KB

MD5
d45ec945a86baf0402d43a2a4d30a173

SHA1
926dd36902b62f732cb297f85f3d0da264637b4a

SHA256
19b3471307f633eec9a6f27420b15416f3ec5a84e70f1a44e74e4adbde3f2993

SHA512
1160e2386a505a00508ba4f572e93c24965a796ce0e6f62bd6fddd28a91132141c4e5958be418dcf39fa3e196a95716d9b8b5fdf8dde7001a3ffca02db5dc392

Download Submit
C:\Users\Admin\Documents\Opened.docx.exe

Filesize
445KB

MD5
93322c4bcd617cadb873e5612f8d1a58

SHA1
76d64fda14f885b4790f1a97a7216ced9b7510fc

SHA256
144aa5a336f2a4fa7edb38c6b76868c7dbfc1c2ee528e90f5986742f89bfd9df

SHA512
fe48af0225e447d6b603df29050814ea595bc57e3caa14710ddde7b9c63f5beb45a14b99139c37ea4b07d4c81b20e1093c976ead0568cc8d0fc6e99f9e75065f

Download Submit
memory/388-163-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/388-130-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1008-740-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1008-810-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1052-253-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1052-224-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1080-1029-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1080-975-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1320-868-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1320-796-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1352-257-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1516-560-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1516-514-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1700-845-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1700-939-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1748-360-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1748-314-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1820-334-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1820-304-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1852-140-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1852-109-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1860-615-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1860-694-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1864-338-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1864-429-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1872-119-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1872-76-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1992-460-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1992-513-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2020-1099-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2020-1016-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2044-93-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2044-56-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2064-730-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2064-699-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2084-258-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2132-275-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2196-209-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2196-178-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2280-198-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2280-20-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2308-242-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2308-200-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2412-155-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2412-186-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2616-34-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2616-73-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2712-435-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2712-470-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2820-44-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2820-92-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2900-223-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2900-24-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2980-1066-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2980-1156-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2992-175-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2992-10-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2996-153-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2996-300-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2996-0-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3028-917-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3028-983-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3060-551-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3060-637-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download