cb513c01b49d43391f2aaf7b9ebd4a4610373f43640874b66debad8e226ac94c

Analysis

max time kernel
151s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13/01/2024, 02:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

57b6dfaea44d7842c5f2e8a19d95e6a2.exe
Size

488KB
MD5

57b6dfaea44d7842c5f2e8a19d95e6a2
SHA1

d1cdc7cc621071b34b0ec6e9bcb74746b2d755f8
SHA256

cb513c01b49d43391f2aaf7b9ebd4a4610373f43640874b66debad8e226ac94c
SHA512

3c637102672cd94c14664a339e5a38ebdcff1b3dd0d5e3af0ed7c760739445b09300c39f77cb40d2599dd8a39b12defe6912eaba4b0320b09a23a1023a186652
SSDEEP

12288:0dnkz0oPyOjJy8x5QuvABNW0hjoFR0WZoLv5Ojw:0dnkIopjsmQu90mHTZGv0w

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 32 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	57b6dfaea44d7842c5f2e8a19d95e6a2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	57b6dfaea44d7842c5f2e8a19d95e6a2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 32 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WaaSMedicAgent.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	MuQQgEcc.exe

Executes dropped EXE 3 IoCs

pid	Process
4216	MuQQgEcc.exe
3472	BGgcgggo.exe
2292	MuAEIokk.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MuQQgEcc.exe = "C:\\Users\\Admin\\HisQIsQc\\MuQQgEcc.exe"	57b6dfaea44d7842c5f2e8a19d95e6a2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BGgcgggo.exe = "C:\\ProgramData\\xQUsIUEw\\BGgcgggo.exe"	57b6dfaea44d7842c5f2e8a19d95e6a2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MuQQgEcc.exe = "C:\\Users\\Admin\\HisQIsQc\\MuQQgEcc.exe"	MuQQgEcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BGgcgggo.exe = "C:\\ProgramData\\xQUsIUEw\\BGgcgggo.exe"	BGgcgggo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BGgcgggo.exe = "C:\\ProgramData\\xQUsIUEw\\BGgcgggo.exe"	MuAEIokk.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\HisQIsQc	MuAEIokk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\HisQIsQc\MuQQgEcc	MuAEIokk.exe
File created	C:\Windows\SysWOW64\shell32.dll.exe	MuQQgEcc.exe
File opened for modification	C:\Windows\SysWOW64\sheLimitUpdate.mp3	MuQQgEcc.exe
File opened for modification	C:\Windows\SysWOW64\sheSuspendRename.wma	MuQQgEcc.exe
File opened for modification	C:\Windows\SysWOW64\sheUninstallUnblock.mp3	MuQQgEcc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
5000	reg.exe
1300	reg.exe
3100	reg.exe
2884	reg.exe
4056	reg.exe
4456	reg.exe
3340	reg.exe
376	reg.exe
3608	reg.exe
3524	reg.exe
2168	reg.exe
3100	reg.exe
3056	reg.exe
3624	reg.exe
1376	reg.exe
4616	reg.exe
3884	reg.exe
4232	reg.exe
3080	reg.exe
1316	reg.exe
948	reg.exe
1392	reg.exe
3288	reg.exe
1004	reg.exe
3988	reg.exe
3616	reg.exe
2424	reg.exe
5080	reg.exe
4324	reg.exe
2284	reg.exe
3548	reg.exe
4672	reg.exe
392	reg.exe
4336	reg.exe
2656	reg.exe
4868	reg.exe
2564	reg.exe
3908	reg.exe
4036	reg.exe
1856	reg.exe
1608	reg.exe
728	reg.exe
3692	reg.exe
976	reg.exe
3716	reg.exe
3440	reg.exe
2928	reg.exe
2200	reg.exe
3524	reg.exe
3124	reg.exe
3692	reg.exe
4356	reg.exe
4892	reg.exe
4440	reg.exe
676	reg.exe
3812	reg.exe
376	reg.exe
3904	reg.exe
4076	reg.exe
1392	reg.exe
4408	reg.exe
432	reg.exe
388	reg.exe
4232	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
724	57b6dfaea44d7842c5f2e8a19d95e6a2.exe
724	57b6dfaea44d7842c5f2e8a19d95e6a2.exe
724	57b6dfaea44d7842c5f2e8a19d95e6a2.exe
724	57b6dfaea44d7842c5f2e8a19d95e6a2.exe
4700	57b6dfaea44d7842c5f2e8a19d95e6a2.exe
4700	57b6dfaea44d7842c5f2e8a19d95e6a2.exe
4700	57b6dfaea44d7842c5f2e8a19d95e6a2.exe
4700	57b6dfaea44d7842c5f2e8a19d95e6a2.exe
2924	57b6dfaea44d7842c5f2e8a19d95e6a2.exe
2924	57b6dfaea44d7842c5f2e8a19d95e6a2.exe
2924	57b6dfaea44d7842c5f2e8a19d95e6a2.exe
2924	57b6dfaea44d7842c5f2e8a19d95e6a2.exe
372	57b6dfaea44d7842c5f2e8a19d95e6a2.exe
372	57b6dfaea44d7842c5f2e8a19d95e6a2.exe
372	57b6dfaea44d7842c5f2e8a19d95e6a2.exe
372	57b6dfaea44d7842c5f2e8a19d95e6a2.exe
624	57b6dfaea44d7842c5f2e8a19d95e6a2.exe
624	57b6dfaea44d7842c5f2e8a19d95e6a2.exe
624	57b6dfaea44d7842c5f2e8a19d95e6a2.exe
624	57b6dfaea44d7842c5f2e8a19d95e6a2.exe
4892	cmd.exe
4892	cmd.exe
4892	cmd.exe
4892	cmd.exe
2776	57b6dfaea44d7842c5f2e8a19d95e6a2.exe
2776	57b6dfaea44d7842c5f2e8a19d95e6a2.exe
2776	57b6dfaea44d7842c5f2e8a19d95e6a2.exe
2776	57b6dfaea44d7842c5f2e8a19d95e6a2.exe
4280	57b6dfaea44d7842c5f2e8a19d95e6a2.exe
4280	57b6dfaea44d7842c5f2e8a19d95e6a2.exe
4280	57b6dfaea44d7842c5f2e8a19d95e6a2.exe
4280	57b6dfaea44d7842c5f2e8a19d95e6a2.exe
4164	57b6dfaea44d7842c5f2e8a19d95e6a2.exe
4164	57b6dfaea44d7842c5f2e8a19d95e6a2.exe
4164	57b6dfaea44d7842c5f2e8a19d95e6a2.exe
4164	57b6dfaea44d7842c5f2e8a19d95e6a2.exe
3460	57b6dfaea44d7842c5f2e8a19d95e6a2.exe
3460	57b6dfaea44d7842c5f2e8a19d95e6a2.exe
3460	57b6dfaea44d7842c5f2e8a19d95e6a2.exe
3460	57b6dfaea44d7842c5f2e8a19d95e6a2.exe
396	57b6dfaea44d7842c5f2e8a19d95e6a2.exe
396	57b6dfaea44d7842c5f2e8a19d95e6a2.exe
396	57b6dfaea44d7842c5f2e8a19d95e6a2.exe
396	57b6dfaea44d7842c5f2e8a19d95e6a2.exe
3196	cmd.exe
3196	cmd.exe
3196	cmd.exe
3196	cmd.exe
1968	reg.exe
1968	reg.exe
1968	reg.exe
1968	reg.exe
1584	57b6dfaea44d7842c5f2e8a19d95e6a2.exe
1584	57b6dfaea44d7842c5f2e8a19d95e6a2.exe
1584	57b6dfaea44d7842c5f2e8a19d95e6a2.exe
1584	57b6dfaea44d7842c5f2e8a19d95e6a2.exe
1328	57b6dfaea44d7842c5f2e8a19d95e6a2.exe
1328	57b6dfaea44d7842c5f2e8a19d95e6a2.exe
1328	57b6dfaea44d7842c5f2e8a19d95e6a2.exe
1328	57b6dfaea44d7842c5f2e8a19d95e6a2.exe
3908	reg.exe
3908	reg.exe
3908	reg.exe
3908	reg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4216	MuQQgEcc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4216	MuQQgEcc.exe
4216	MuQQgEcc.exe
4216	MuQQgEcc.exe
4216	MuQQgEcc.exe
4216	MuQQgEcc.exe
4216	MuQQgEcc.exe
4216	MuQQgEcc.exe
4216	MuQQgEcc.exe
4216	MuQQgEcc.exe
4216	MuQQgEcc.exe
4216	MuQQgEcc.exe
4216	MuQQgEcc.exe
4216	MuQQgEcc.exe
4216	MuQQgEcc.exe
4216	MuQQgEcc.exe
4216	MuQQgEcc.exe
4216	MuQQgEcc.exe
4216	MuQQgEcc.exe
4216	MuQQgEcc.exe
4216	MuQQgEcc.exe
4216	MuQQgEcc.exe
4216	MuQQgEcc.exe
4216	MuQQgEcc.exe
4216	MuQQgEcc.exe
4216	MuQQgEcc.exe
4216	MuQQgEcc.exe
4216	MuQQgEcc.exe
4216	MuQQgEcc.exe
4216	MuQQgEcc.exe
4216	MuQQgEcc.exe
4216	MuQQgEcc.exe
4216	MuQQgEcc.exe
4216	MuQQgEcc.exe
4216	MuQQgEcc.exe
4216	MuQQgEcc.exe
4216	MuQQgEcc.exe
4216	MuQQgEcc.exe
4216	MuQQgEcc.exe
4216	MuQQgEcc.exe
4216	MuQQgEcc.exe
4216	MuQQgEcc.exe
4216	MuQQgEcc.exe
4216	MuQQgEcc.exe
4216	MuQQgEcc.exe
4216	MuQQgEcc.exe
4216	MuQQgEcc.exe
4216	MuQQgEcc.exe
4216	MuQQgEcc.exe
4216	MuQQgEcc.exe
4216	MuQQgEcc.exe
4216	MuQQgEcc.exe
4216	MuQQgEcc.exe
4216	MuQQgEcc.exe
4216	MuQQgEcc.exe
4216	MuQQgEcc.exe
4216	MuQQgEcc.exe
4216	MuQQgEcc.exe
4216	MuQQgEcc.exe
4216	MuQQgEcc.exe
4216	MuQQgEcc.exe
4216	MuQQgEcc.exe
4216	MuQQgEcc.exe
4216	MuQQgEcc.exe
4216	MuQQgEcc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 724 wrote to memory of 4216	724	57b6dfaea44d7842c5f2e8a19d95e6a2.exe	93
PID 724 wrote to memory of 4216	724	57b6dfaea44d7842c5f2e8a19d95e6a2.exe	93
PID 724 wrote to memory of 4216	724	57b6dfaea44d7842c5f2e8a19d95e6a2.exe	93
PID 724 wrote to memory of 3472	724	57b6dfaea44d7842c5f2e8a19d95e6a2.exe	94
PID 724 wrote to memory of 3472	724	57b6dfaea44d7842c5f2e8a19d95e6a2.exe	94
PID 724 wrote to memory of 3472	724	57b6dfaea44d7842c5f2e8a19d95e6a2.exe	94
PID 724 wrote to memory of 1604	724	57b6dfaea44d7842c5f2e8a19d95e6a2.exe	96
PID 724 wrote to memory of 1604	724	57b6dfaea44d7842c5f2e8a19d95e6a2.exe	96
PID 724 wrote to memory of 1604	724	57b6dfaea44d7842c5f2e8a19d95e6a2.exe	96
PID 1604 wrote to memory of 4700	1604	cmd.exe	98
PID 1604 wrote to memory of 4700	1604	cmd.exe	98
PID 1604 wrote to memory of 4700	1604	cmd.exe	98
PID 724 wrote to memory of 1316	724	57b6dfaea44d7842c5f2e8a19d95e6a2.exe	99
PID 724 wrote to memory of 1316	724	57b6dfaea44d7842c5f2e8a19d95e6a2.exe	99
PID 724 wrote to memory of 1316	724	57b6dfaea44d7842c5f2e8a19d95e6a2.exe	99
PID 724 wrote to memory of 3100	724	57b6dfaea44d7842c5f2e8a19d95e6a2.exe	100
PID 724 wrote to memory of 3100	724	57b6dfaea44d7842c5f2e8a19d95e6a2.exe	100
PID 724 wrote to memory of 3100	724	57b6dfaea44d7842c5f2e8a19d95e6a2.exe	100
PID 724 wrote to memory of 1392	724	57b6dfaea44d7842c5f2e8a19d95e6a2.exe	101
PID 724 wrote to memory of 1392	724	57b6dfaea44d7842c5f2e8a19d95e6a2.exe	101
PID 724 wrote to memory of 1392	724	57b6dfaea44d7842c5f2e8a19d95e6a2.exe	101
PID 4700 wrote to memory of 2880	4700	57b6dfaea44d7842c5f2e8a19d95e6a2.exe	105
PID 4700 wrote to memory of 2880	4700	57b6dfaea44d7842c5f2e8a19d95e6a2.exe	105
PID 4700 wrote to memory of 2880	4700	57b6dfaea44d7842c5f2e8a19d95e6a2.exe	105
PID 4700 wrote to memory of 948	4700	57b6dfaea44d7842c5f2e8a19d95e6a2.exe	107
PID 4700 wrote to memory of 948	4700	57b6dfaea44d7842c5f2e8a19d95e6a2.exe	107
PID 4700 wrote to memory of 948	4700	57b6dfaea44d7842c5f2e8a19d95e6a2.exe	107
PID 4700 wrote to memory of 3876	4700	57b6dfaea44d7842c5f2e8a19d95e6a2.exe	108
PID 4700 wrote to memory of 3876	4700	57b6dfaea44d7842c5f2e8a19d95e6a2.exe	108
PID 4700 wrote to memory of 3876	4700	57b6dfaea44d7842c5f2e8a19d95e6a2.exe	108
PID 4700 wrote to memory of 4356	4700	57b6dfaea44d7842c5f2e8a19d95e6a2.exe	109
PID 4700 wrote to memory of 4356	4700	57b6dfaea44d7842c5f2e8a19d95e6a2.exe	109
PID 4700 wrote to memory of 4356	4700	57b6dfaea44d7842c5f2e8a19d95e6a2.exe	109
PID 4700 wrote to memory of 1984	4700	57b6dfaea44d7842c5f2e8a19d95e6a2.exe	110
PID 4700 wrote to memory of 1984	4700	57b6dfaea44d7842c5f2e8a19d95e6a2.exe	110
PID 4700 wrote to memory of 1984	4700	57b6dfaea44d7842c5f2e8a19d95e6a2.exe	110
PID 2880 wrote to memory of 2924	2880	cmd.exe	115
PID 2880 wrote to memory of 2924	2880	cmd.exe	115
PID 2880 wrote to memory of 2924	2880	cmd.exe	115
PID 2924 wrote to memory of 4600	2924	57b6dfaea44d7842c5f2e8a19d95e6a2.exe	116
PID 2924 wrote to memory of 4600	2924	57b6dfaea44d7842c5f2e8a19d95e6a2.exe	116
PID 2924 wrote to memory of 4600	2924	57b6dfaea44d7842c5f2e8a19d95e6a2.exe	116
PID 1984 wrote to memory of 4456	1984	cmd.exe	118
PID 1984 wrote to memory of 4456	1984	cmd.exe	118
PID 1984 wrote to memory of 4456	1984	cmd.exe	118
PID 2924 wrote to memory of 2680	2924	57b6dfaea44d7842c5f2e8a19d95e6a2.exe	120
PID 2924 wrote to memory of 2680	2924	57b6dfaea44d7842c5f2e8a19d95e6a2.exe	120
PID 2924 wrote to memory of 2680	2924	57b6dfaea44d7842c5f2e8a19d95e6a2.exe	120
PID 2924 wrote to memory of 376	2924	57b6dfaea44d7842c5f2e8a19d95e6a2.exe	119
PID 2924 wrote to memory of 376	2924	57b6dfaea44d7842c5f2e8a19d95e6a2.exe	119
PID 2924 wrote to memory of 376	2924	57b6dfaea44d7842c5f2e8a19d95e6a2.exe	119
PID 2924 wrote to memory of 2168	2924	57b6dfaea44d7842c5f2e8a19d95e6a2.exe	121
PID 2924 wrote to memory of 2168	2924	57b6dfaea44d7842c5f2e8a19d95e6a2.exe	121
PID 2924 wrote to memory of 2168	2924	57b6dfaea44d7842c5f2e8a19d95e6a2.exe	121
PID 2924 wrote to memory of 3048	2924	57b6dfaea44d7842c5f2e8a19d95e6a2.exe	122
PID 2924 wrote to memory of 3048	2924	57b6dfaea44d7842c5f2e8a19d95e6a2.exe	122
PID 2924 wrote to memory of 3048	2924	57b6dfaea44d7842c5f2e8a19d95e6a2.exe	122
PID 4600 wrote to memory of 372	4600	cmd.exe	127
PID 4600 wrote to memory of 372	4600	cmd.exe	127
PID 4600 wrote to memory of 372	4600	cmd.exe	127
PID 372 wrote to memory of 3960	372	57b6dfaea44d7842c5f2e8a19d95e6a2.exe	128
PID 372 wrote to memory of 3960	372	57b6dfaea44d7842c5f2e8a19d95e6a2.exe	128
PID 372 wrote to memory of 3960	372	57b6dfaea44d7842c5f2e8a19d95e6a2.exe	128
PID 372 wrote to memory of 3288	372	57b6dfaea44d7842c5f2e8a19d95e6a2.exe	136

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe

C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2.exe
"C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:724
- C:\Users\Admin\HisQIsQc\MuQQgEcc.exe
  "C:\Users\Admin\HisQIsQc\MuQQgEcc.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:4216
- C:\ProgramData\xQUsIUEw\BGgcgggo.exe
  "C:\ProgramData\xQUsIUEw\BGgcgggo.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3472
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1604
- - C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2.exe
    C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4700
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2880
    - - C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2.exe
        
        C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2924
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2.exe
        
        C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2"
        8⤵
        
        PID:3960
        
        C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2.exe
        
        C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2"
        10⤵
        
        PID:676
        
        C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2.exe
        
        C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2
        11⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2"
        12⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2.exe
        
        C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2"
        14⤵
        
        PID:4188
        
        C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2.exe
        
        C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2
        15⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2"
        16⤵
        
        PID:3080
        
        C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2.exe
        
        C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2"
        18⤵
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2.exe
        
        C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2"
        20⤵
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2.exe
        
        C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2"
        22⤵
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2.exe
        
        C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2
        23⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2"
        24⤵
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2.exe
        
        C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2
        25⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2"
        26⤵
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2.exe
        
        C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2"
        28⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2.exe
        
        C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2"
        30⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2.exe
        
        C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2
        31⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2"
        32⤵
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2.exe
        
        C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2
        33⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2"
        34⤵
        
        PID:636
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        35⤵
        UAC bypass
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2.exe
        
        C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2
        35⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2"
        36⤵
        
        PID:4568
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        
        PID:4188
        
        C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2.exe
        
        C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2
        37⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2"
        38⤵
        
        PID:2352
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        39⤵
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2.exe
        
        C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2
        39⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2"
        40⤵
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2.exe
        
        C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2
        41⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2"
        42⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2.exe
        
        C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2
        43⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2"
        44⤵
        
        PID:4376
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2.exe
        
        C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2
        45⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2"
        46⤵
        
        PID:1392
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        Modifies visibility of file extensions in Explorer
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2.exe
        
        C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2
        47⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2"
        48⤵
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2.exe
        
        C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2
        49⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2"
        50⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2.exe
        
        C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2
        51⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2"
        52⤵
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2.exe
        
        C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2
        53⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2"
        54⤵
        
        PID:5024
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        55⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2.exe
        
        C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2
        55⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2"
        56⤵
        
        PID:4616
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2.exe
        
        C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2
        57⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2"
        58⤵
        
        PID:3716
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        
        PID:3612
        
        C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2.exe
        
        C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2
        59⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2"
        60⤵
        
        PID:948
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        UAC bypass
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2.exe
        
        C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2
        61⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2"
        62⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2.exe
        
        C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2
        63⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2"
        64⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2.exe
        
        C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2
        65⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2"
        66⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:4704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        UAC bypass
        Modifies registry key
        
        PID:3524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CeQkgAAc.bat" "C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2.exe""
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3648
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        UAC bypass
        
        PID:2552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        Modifies registry key
        
        PID:3812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wSIUUAYg.bat" "C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2.exe""
        64⤵
        
        PID:4628
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wCIccUcc.bat" "C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2.exe""
        62⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        Modifies registry key
        
        PID:3616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:3084
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        UAC bypass
        
        PID:3608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        Modifies registry key
        
        PID:3524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RwQMUoUM.bat" "C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2.exe""
        60⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3692
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        
        PID:1972
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        UAC bypass
        
        PID:2200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TOgYsQAw.bat" "C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2.exe""
        58⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bgcsYUMI.bat" "C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2.exe""
        56⤵
        
        PID:3028
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3440
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lOcgQIwk.bat" "C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2.exe""
        54⤵
        
        PID:4376
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        55⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        Modifies registry key
        
        PID:4232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        Modifies registry key
        
        PID:388
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        55⤵
        UAC bypass
        
        PID:3180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kIUwMQEQ.bat" "C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2.exe""
        52⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        Modifies registry key
        
        PID:1392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        Modifies registry key
        Suspicious behavior: EnumeratesProcesses
        
        PID:3908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TAcAcUIk.bat" "C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2.exe""
        50⤵
        Modifies visibility of file extensions in Explorer
        Suspicious behavior: EnumeratesProcesses
        
        PID:4892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        Modifies registry key
        
        PID:4232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BYAUQAAM.bat" "C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2.exe""
        48⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        Modifies registry key
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:1396
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        49⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oosgEkAg.bat" "C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2.exe""
        46⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        Modifies registry key
        
        PID:676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies registry key
        
        PID:4892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GaMoUQAg.bat" "C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2.exe""
        44⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        Modifies registry key
        
        PID:1004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        Modifies registry key
        
        PID:2884
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZmYcUcog.bat" "C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2.exe""
        42⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        Modifies registry key
        
        PID:392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:1448
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4076
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        UAC bypass
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gqowUYUE.bat" "C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2.exe""
        40⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        Suspicious behavior: EnumeratesProcesses
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        Modifies registry key
        
        PID:3716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sQYIYkws.bat" "C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2.exe""
        38⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        Modifies registry key
        
        PID:3608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        Modifies registry key
        
        PID:2424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies registry key
        
        PID:3988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:728
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dQYYAgcM.bat" "C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2.exe""
        36⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        Modifies registry key
        
        PID:2200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        Modifies registry key
        
        PID:432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:3124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgIkAUgo.bat" "C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2.exe""
        34⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GEwMkoIk.bat" "C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2.exe""
        32⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        Modifies registry key
        
        PID:3884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IWAIcgQs.bat" "C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2.exe""
        30⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        Modifies registry key
        
        PID:376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\weEEgkYU.bat" "C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2.exe""
        28⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:5080
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NAkEQQEI.bat" "C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2.exe""
        26⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        
        PID:116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies registry key
        
        PID:1300
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        25⤵
        
        PID:676
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        26⤵
        
        PID:376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QKEIIUIg.bat" "C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2.exe""
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:3100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        Modifies registry key
        
        PID:3548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        Modifies registry key
        
        PID:4672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CGAgUoME.bat" "C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2.exe""
        22⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        Modifies registry key
        
        PID:4456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CyEIkMoA.bat" "C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2.exe""
        20⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:5076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        Modifies registry key
        
        PID:3124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        
        PID:844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies registry key
        
        PID:976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QMMwIsog.bat" "C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2.exe""
        18⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        Modifies registry key
        
        PID:2564
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        17⤵
        UAC bypass
        
        PID:2564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies registry key
        
        PID:728
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        17⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        Modifies registry key
        
        PID:3100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UissUMEQ.bat" "C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2.exe""
        16⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies registry key
        
        PID:2928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        Modifies registry key
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MOsscIAw.bat" "C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2.exe""
        14⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies registry key
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gUokgUMg.bat" "C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2.exe""
        12⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        Modifies registry key
        
        PID:4868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NOwUoUQw.bat" "C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2.exe""
        10⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        Modifies registry key
        
        PID:4616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        Modifies registry key
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BmQUgAwk.bat" "C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2.exe""
        8⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        Modifies registry key
        
        PID:3692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies registry key
        
        PID:3288
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:376
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2680
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        Modifies registry key
        
        PID:2168
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iSAcwkEA.bat" "C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2.exe""
        6⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:2020
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies registry key
      PID:948
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:3876
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:4356
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yagogEoM.bat" "C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1984
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:4456
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:1316
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:3100
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:1392
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RIowcsgw.bat" "C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2.exe""
  2⤵
  PID:2372
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1440

C:\ProgramData\BSEgEckg\MuAEIokk.exe
C:\ProgramData\BSEgEckg\MuAEIokk.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2292

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2928

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1528

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:432

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies visibility of file extensions in Explorer
PID:976

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:4456

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:1004

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 9682cb1821ae58155aacf168645a4890 kLq8WKRtsU6KH33IX4t+gQ.0.1.0.0.0
1⤵
- UAC bypass
PID:116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:4356

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\BSEgEckg\MuAEIokk.exe

Filesize
429KB

MD5
d816b4d6d57a66bb3e1f813614dc69f7

SHA1
f9dee43ed930d6fde7270cf3c5a4e24e485bf331

SHA256
ca38e9126f8f00f9b44eb778e7e194a6443fe176eec2612e5907cbb80afbcfbf

SHA512
00dc7441716db9c03b1185b6734db0ae7a85846fd3bca07bb3be5876effd17c2b30bfb031dc76d2a74f054dbdca270b783aa7cdf7ead56549aa8fcac19f55194

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

Filesize
459KB

MD5
da73a0df14cd972a85a7b26e338130d2

SHA1
deaa91657c1a2538d94e562ca4685e514ca10fa9

SHA256
4daff9397f039eca87e080d3dd17aed6f39e3cf7d27b3316822df7aa6724a32c

SHA512
f70c8dcf226b4ff88530ab3ffeb0a801eb5bf4fd8aad6a03871e0433bdfe974d43676aba22162527f09b3dda5d7a5a659f607618cb518f7c9f433f824c8ea3d1

Download Submit
C:\ProgramData\xQUsIUEw\BGgcgggo.exe

Filesize
432KB

MD5
c543c688e8815ae5eaad2b1fca7c1a74

SHA1
3d1d90c2082f72cdf6e75e23a3be2f06a6fcedfc

SHA256
0d6f7f6b068e49c988f0dc42f8e0be89ff6a7abb4f1dbe88f4e5abf68dd6c9cf

SHA512
770984da767720f6512d830b2cd6872a8aa5bfd051264e689037ba174bcea02d28f93ee38f3c0b432c17bfd2d8ac0c5716e230328b2944984349c2e75f2ecfd5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\192.png.exe

Filesize
439KB

MD5
280472db87e3ed91698870ed9abf66f9

SHA1
1ef2557bf09f50119025bd02881d1a72e95c428b

SHA256
d8f13db3934750e9d9ba66e720ec50dc4f80a9440979542f544671025660043f

SHA512
a5970b17c2632ff8202840a966d84928beb1691cfaff18465fd39fc10da834ebcc449a3e1aff3f3585f7f293916e92320f9f3f4712993be28458614b16ff7a82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\256.png.exe

Filesize
457KB

MD5
23a90e22c719d6f536fb6df3aeb4d4a9

SHA1
5bd9b730df1af6e466a83d4e2421ac954bfc73f8

SHA256
6a26ce6bc50ebb174c905e920fad295468fed94bad2d9db3e437145f1da17036

SHA512
5c88f7e7aafed3d4cc87ceb7b3031aa59029b7f7bd279260f638d02ba7a1d1cbb7c5e106693b891cf68ac3c726c8420b598e5788a99dd70efd02049ea3087d9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ScreenshotOptIn.gif.exe

Filesize
192KB

MD5
6fa096df999a1ebe007bda150a8fb37c

SHA1
7a58bc0781638d8c2ab51ca3a2a1dcf838113aaf

SHA256
a7b8aeee41914e3c01c1d9d9feb6255048f75d298187ee61d69c7dea5f89d67b

SHA512
53b8e3edb8b1295b3941596a1953205768ab65bb99e30b2d3911a596ffc750e62fe572fda59ab5be90d0405548aed7237e875bbc09ee1669318b0a3878434fb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\57b6dfaea44d7842c5f2e8a19d95e6a2

Filesize
48KB

MD5
b0de08b6aada24cdd3458113d175f1a7

SHA1
225797b52f320b3efb2643c55fe55ab3a5618ae9

SHA256
40015814487b93a8372f33284d45586739a4a1e9d2b7961ab8c6d4d9561d10cb

SHA512
fd59488e0223f49d66bb3ca7a70e74b7ca2052769f78790aee0682e0306f6e9421d28ab9a34487bd8934571cccb6798c98040b25934dfe1f0a13c7ca490ecbe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\BkoA.exe

Filesize
889KB

MD5
55e69266d49a25d6e366b96926056f82

SHA1
356c63d731707cd641f18af902d2243d8d4c39a5

SHA256
d0f82726bd432e33d1297d15cd03e47890ff8cf7735b29b8acdb495ff4457622

SHA512
8c119a2911d7d7a29762917064d1f4fc77cfa906ce1e06d4eafc36b90b6db667ed0173f7113ace37108e669f2d3039ff21c71236630ab1a54b9c40f4a3903482

Download Submit
C:\Users\Admin\AppData\Local\Temp\CsEI.exe

Filesize
557KB

MD5
8d9a8b77c8889339087ae3601e836ada

SHA1
2cec47a3603fe692c181a347186d3f28ef86e9f6

SHA256
5c2b9aeb71f1e1cb6f1349e81b923488aa278b8bcb4f581b6997a1d909de0378

SHA512
a56e504a256e75fe6d79b941ffbc56f330255c0f39a34f4b2d38300f46a41db42d9fdca813eafe3060305869060ddfbe929188c79d2e7a500f7d4f0a333100c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DMAA.exe

Filesize
442KB

MD5
35e9165ceb16c9ba1914671310f06e01

SHA1
6ed0bafaeb87ec1b0f13855f9e9c4d997a1a472d

SHA256
88fe64b0fb48a47c57f10b5e2dddb91769c5f3d0fdcd11d883edc87efe38c1d1

SHA512
6bc058b289868130bab2e77d1dda8fa08c10a1b6e56a892373d5b1d31bfa069495d12c9b46a6aefb6ead959087f3be1ab85d9a3968f6571d3cb2ff997344aaa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DowO.exe

Filesize
444KB

MD5
b9386e5e05659de34ece4fd6bd778184

SHA1
a5d3e16bd47cf923f127b6a834b93bb96f6f6862

SHA256
07794e87651063895cf321995ac18b28f21eec3552eebaa9d4ecf58a2742847d

SHA512
99f80ba7537c6ac8df5e110d5bc13168fb1ec55311d607311c598c1fdd400caf75e2c4923231f6a858dfdeb9d8932104cd0634178eca44bc793b5d738790dc2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Esgq.exe

Filesize
440KB

MD5
a14205bb1900dc689c2a7afef0d08ef8

SHA1
a6cd7f80e2c60977ef112d4afb15928917c03df9

SHA256
174258458bbdd288d0afcda0a5860ce1790c4b6529916e092594ac0211622326

SHA512
30aa44cf3386f9abc6a3492a1f129ad9623ebe6692e6cf62579415f60df2b51e48b6d2077e9e2a25fe6f1daf5ec529f02af0fbcc378e2ef24a430384cf15f635

Download Submit
C:\Users\Admin\AppData\Local\Temp\GAwE.exe

Filesize
441KB

MD5
9c9f254ca416b207ecbd97b235c15cc1

SHA1
cbedb39c8a91b7072fd62287bbcab1f7586581f4

SHA256
013fa13ce93fa14272becb08ea2761f5be3a3c2a2828a99507745318cceee5f6

SHA512
51794f59fdc699303fe95562f565331665acf75f3e1c3e416f2b8d5c9c66e9b5d227e1747d2220f5ce69209822613afedd0fa6190b180559b64f6be51fff003a

Download Submit
C:\Users\Admin\AppData\Local\Temp\GckO.exe

Filesize
433KB

MD5
0c77969d36f7586ec48e9b70c1e42c22

SHA1
25aa4f1ddefe7021bbfb8b63ac5644b0918c8034

SHA256
e4c04936fe438491258f5b7895de53f3616edc14d0629875495ea626c22213b7

SHA512
df3af995527e02aa5c2167d396d8a82a60662c988bac7516ae4905055b92696fd54404c4f4332fc2db044bda7b6b42a0e74ad55ece01f6885325542465f13121

Download Submit
C:\Users\Admin\AppData\Local\Temp\HUwA.exe

Filesize
1.0MB

MD5
c059d1588ef982828d98d16dd9d71861

SHA1
f338393ae5270ec7bb35a077b54eca7bf442a507

SHA256
0e15074cbbca68b5c564baba20c54122c4901608113dbb19d420591e3131b5f9

SHA512
ae442d0ffa1bc3eb5a807f395b1e1a4dcff18ae5848ab109231ae701b084217305c44c12e391950b134f10d2fb842125d8f24ed07adf5fb00f652a8e2de88197

Download Submit
C:\Users\Admin\AppData\Local\Temp\JQQC.exe

Filesize
807KB

MD5
f336fcae79a13469fa81e37214805cb3

SHA1
6393c9be3c4bb792348cef41b9168b9dc6c844ac

SHA256
6585d351bfa2b7654e400e1ce6d3dc77be188e086c497bdea12cc51d9c79d4fa

SHA512
37b46b031004c640db3eca64dee81753ccb80dd2157909b447182534fc07fa3ebce53e53a5a244b3a1d95088e6cdcaeaa20fa99879adf4b31263350d80d93a6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMgO.exe

Filesize
442KB

MD5
1ff669e141db2ecae2b35c16ddc17a1c

SHA1
0efb1b80d6fe55722f21e652df70a026f5ef2807

SHA256
8262c5f832890ce0e16f8d2062c4b386e4beb1a304dbe269ec82a20346b1047b

SHA512
7a1148cde5ec31423cdbde9dde0adff54df94f1f760246a7fb4deded97ae9c5f9612f94d1368eeab4ef206d183b6317f33157b2a66f10881b8e9e6247a31f686

Download Submit
C:\Users\Admin\AppData\Local\Temp\NGIY.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\NMgG.exe

Filesize
434KB

MD5
92f4addd6ddb445a71c52ee680a2ebb7

SHA1
85d9a4366a5bb62d6853e6fc78c83fcd645a3fd5

SHA256
270bae813db22378401523b1761268c3114f3d0c754ac4efd67317c126af15ef

SHA512
e831c3a4ecce77b8c5f7e4c9c842d56df81715931a3484787f5abb490820ff65f3c2d4ecdadc06d2160389353e58ff7948215adee486058807342d2a01243298

Download Submit
C:\Users\Admin\AppData\Local\Temp\NkEI.exe

Filesize
1.0MB

MD5
6067921066029a69c9670829a6fd098d

SHA1
09f94d945c30e48e0fc93a33d8d4a56e4e614e8a

SHA256
2b26b82ceba893d543accc4120fe4c1bd4958f2d88ede0b7642077a18d6dedae

SHA512
233410053f4652973b63007e0bc8dcfc49d0a3d372c7a6dfb7149113a4a31d1a4aaa18463d82112e2bd9913f7ffe4f05ea4e61eb01c97264cde0a0a10197350f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEMc.exe

Filesize
436KB

MD5
8921677bae2c23e4c17112899e0d61b4

SHA1
1413aa5fcad4633f0c4c9bd3765fb09b108aea20

SHA256
ab61422e9d841446230d57accdbc900ff15c424f12612ecf8b3a7ea2e9650777

SHA512
b777817b82b5d38488d4197903d75be4b212de9c119b4d2c466379815afbe7c4911654ea91611b57a90088d6d6656fe721250d103715ca44c3574cb5254e0e4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEwM.exe

Filesize
441KB

MD5
179099f578de80b8013a40cba5a0839e

SHA1
3ffe7e3c1bf1ff940ec26227a3a6567b6770ce12

SHA256
e00fccc5826dd8b1c2706b483213aeb25d12a51052d385d209017cab337b29d1

SHA512
f30687b4bda62cf63fc14f1da6feaec642ba69eb837c2a7d331cf6e923f6cb9b1d9df1370d5d2213d45d1dddb19e64d54e37a5a95e5102d6c74b527da76221c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\PQIm.exe

Filesize
441KB

MD5
6aa7b14e5a105e2d03b2cc29061ae8ef

SHA1
55a02b92523a3fb04d7e7a7812b08fb8af5ffa81

SHA256
41766603b970ef1ee009b55307868eac866fe30aec1e261c38e304a3fe694f19

SHA512
df226b9084497d927cb588233a2d8264c370c048a029e470c00958b048b00b016c707937d1d1d4b9e98a78eb782997f9f93e73705706b4ee9413389b20437318

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQEE.exe

Filesize
443KB

MD5
78622ecfa2e5da9ea37e49975a109ea1

SHA1
c9b1c39db91e4cf5eac7e20a20a66307530617cc

SHA256
3a15d0ce5dd0d5b7e2ec9ec61127427cbcec5430b52e254324678a3ff3a54d5b

SHA512
23a54bb2159518885ae722b375fb937022b7018165cfea1d1168665247eeb9c6bbedf4eb588d66e673042b009c420707c7c61b1194e1056b753a3345aa0b38b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RoAS.exe

Filesize
1019KB

MD5
614b8b0701c4df527438bf3e6a5ba648

SHA1
1d20e4a25dc30fadfe3c8fc50843dc0e4bcb5591

SHA256
5381c8f27a8da9b7394df5e352c9b5775c9afda5a7fa024f5e8f91184060ab41

SHA512
11133ff4704acce501f380e97f56a578ad0cfb4a702539f5192c491f63213a716a884d36fbca08dd4bd6712eae5abc6da56f28fedfafbde2cc872c89e3db1c30

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQAS.exe

Filesize
443KB

MD5
08a448e539a25901337d449d9812295c

SHA1
0cade2fc7b721f8d9df28ae552bf1d17483bee33

SHA256
91fd51333d5694b44ce4a9b4840b1ee15a5217ff4929d53b5fbe30ed0c88c126

SHA512
db8cc256e03551e3d787b818065cc91edc38cfc41d216ce282d2eafc5bb19f63aa891c0e4d9e0c8a1acca9f515225665072368c6544c21854a77f9ca2666671d

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAQq.exe

Filesize
129KB

MD5
11d127c6e205e37a4f9466e617b9a05d

SHA1
7f19242d986017d5e85a1c5f0c27c31a25f5af2a

SHA256
2dd24515f57f4062195a532b933aa3053071a1f43f9c233a9964e4b007ecab6a

SHA512
1b46e0bac2e3a271c9f67771b09894386c8450dc6443756b5c2e98314fb02d244b36d7b76b87658b863f44249f3d09336aa1d9ba038f4c2908c554c6b176ddf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\UYcI.exe

Filesize
440KB

MD5
c4e803a46b69d9f57714b687b4d1426d

SHA1
118465a8f7475aa880cb41a2b9ebad451dc375da

SHA256
f3184e35cfab1119e4dc8a0cd5cce872a684071ecde430e4131d3113baf16059

SHA512
07ba3b33caa95effe001d8aca98f0478d5f502e4bffd6af50ed736cd09c9df25e79a4dba6ba2dc2fdb246b8d712872ffa653d3590c51927cb429c8c2dfbb34cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uooq.exe

Filesize
457KB

MD5
8b2e74dc12cdfc93634f7452a5f02d27

SHA1
9ae5feb3a179722faee3652ec117c1dc49898787

SHA256
0df6d12926e229a920b1b1644dff969dbc204b8475d53546865d0998706b923f

SHA512
7160be3843880e9d78660116c0b9f4a2b18ce9d8094ae17307f526580f2f9068bd6479dc21d6361a851784990ee32df7c9ad03b5d1852beaf39db60484dcf269

Download Submit
C:\Users\Admin\AppData\Local\Temp\VcMU.exe

Filesize
2.0MB

MD5
359467512abba5bf0cf7e301de40790d

SHA1
4ac069d84aaff42973d76d0090ed0e4eee857bca

SHA256
9d095582b484f971c9e88ba003e1c9b9074850cf7d88633943558fa083556dae

SHA512
160fe967635ff5c41f0e853199a7f9b936fec21355d22b00e0ca6bcb08e28bade72f58cedd47e8787a1f34ddcbb9a06f168956dc19c0e27eb0dac8a577a53b64

Download Submit
C:\Users\Admin\AppData\Local\Temp\VsIY.exe

Filesize
437KB

MD5
1325816a45e6cdd46cfabb8cb456b264

SHA1
d5a9f780f87937c0bc0bcb6feddcdb53ac074c6b

SHA256
01a1f270d492e73a19c19516acb62257a43ee1995dfe7f853f25908965de5dac

SHA512
648676d6b6a729e244756785c67680f14ce910126b41e80500c9057a6ff135019bf45e7de03a164db04805cd62ba68f7f69c1b9a195f655cd655df2919829346

Download Submit
C:\Users\Admin\AppData\Local\Temp\WYwW.exe

Filesize
885KB

MD5
b030d02e513e12d4e0512430b43e7d26

SHA1
01e04ea577c9c8c4422ff488e910f1750303d9c0

SHA256
cdef169f9ea2b6ca85f76fcd48ebbd5d6620f302e99c7071ae24e5d8edb414d3

SHA512
055a2ff3746489cd3950751d831632aa63c0053dae3c8e5a89db90e2476a183de1ad9a0b99dab7c4991e85c34dc099208a262bca181d33c0d683f935c3477ecf

Download Submit
C:\Users\Admin\AppData\Local\Temp\XEEc.exe

Filesize
433KB

MD5
a98c744f01d451741fe91abfeec22dae

SHA1
d38e2152395614d863e80318b94c6734abbe1710

SHA256
4c794d380c8e1c8f92ac9468be88d1cc491ac75f7053fad6431cc697285a698c

SHA512
dabe42abb03f01ab63cfd07b0c0889ad890cfd15c832c59f0348a2f84e3196b0626aecd338d119da36bfbb9c7f417265a9afef2401a7b6d3e2f241ebe2042563

Download Submit
C:\Users\Admin\AppData\Local\Temp\XEoi.exe

Filesize
6.1MB

MD5
67d4d04191a3d83b771a9a9b484cb244

SHA1
fcad1eaacc17a63bb9ee5c331b8f6b0a477e2993

SHA256
edda3e422e2ac3b8088495c82271391a664c0a53ab90133fdc193cd3c99a8833

SHA512
4a94a19ee945ea6fab50de7fd70f4cc8dee005dfb19fb25cf97988771e104c8b1f609d4d28980a36293ebd6b3c748373c5182ba99d189d2fcdf69b4927ff3316

Download Submit
C:\Users\Admin\AppData\Local\Temp\XgIk.exe

Filesize
1022KB

MD5
e2d90e78c947a41ca61f5d8d0534c8e7

SHA1
bc338543e94cc0a655e88d6c2fcd463796d4201e

SHA256
8318b70cc8d8f51c735bf80d38d22f49e4108d40cd4bec3af90f12001ca9fe65

SHA512
bb4c1b464444eb56b7870969d8dc4289e79a0706097a7908b5c55e896c57f92cb61172bf45fbab349d286891a6ab68dc182299bf66e3aaa9a75d8cca772d9f29

Download Submit
C:\Users\Admin\AppData\Local\Temp\YIgU.exe

Filesize
437KB

MD5
228cf9211812c78a9f95167d3e2cb15e

SHA1
6c08fe84d6f3c6abe01ce4d180108d6bb04b8b40

SHA256
80721e517eee4a2e478b873fc36956f71da033cd4c88c2570229c6e876533197

SHA512
8641975d98769d1540a8fbf2af617ec34bfc78131fe9e51e16cb2add7189676036bb15b6af74d99fc47a42aa9868a04e4419d9d2b890c015c6781b8eeb73f28a

Download Submit
C:\Users\Admin\AppData\Local\Temp\YIwQ.exe

Filesize
877KB

MD5
e399e9faaadade706d7ecee5518697ad

SHA1
b90c6dc9dd68c063a91fe93cca555b93f28b97f1

SHA256
b5b5325f341f167416165890d45bd2cdbaf2b5cb5f19ccb3d536a2223d4d61f6

SHA512
828f6891fe3216c886c817c12776e19f5684ad13582802e683849983b8878352354568a84b7589e8f0bd9bce2621d50187854f4dcb49a607bbbf7267aec007f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ywgg.exe

Filesize
438KB

MD5
cae79d0ad6c891ef8c2d0debd9340b55

SHA1
ddd3b9bdd706f44130bbba0646eae12be0f1c666

SHA256
5af53a095936ad31d9af7128f881e39f0cf15a55d868ca10a26a15a18699082c

SHA512
c8bdec32ac09f6bef915f5d0ae1103e991f8f5973d6e360c4a8e4999ff710e0611d8e0f08540c95d2fea80993e681769a45de2c43c0f3fb348679ba3a77ecd18

Download Submit
C:\Users\Admin\AppData\Local\Temp\aAES.exe

Filesize
887KB

MD5
ac785d0b31de2f4a58c0872ce21d71f9

SHA1
4c501436ca2ad81f84a166dd6a05e99c5bc8c2bc

SHA256
cef3be8a35ef1007e84ebfdbba11ae0a45c77f5d7663c50c83a0c6907a11e8f3

SHA512
bae34492b7c9c1775007cd66cd434c04e259b6f50186299570dc427cb2b036a0c071565d8867c78016a06ece4c79183c5494d98aeb49160bb35d6acbc1b65d15

Download Submit
C:\Users\Admin\AppData\Local\Temp\bIkQ.exe

Filesize
439KB

MD5
cce0b268032d8228492d5cc6da69e9de

SHA1
cc1006de3f4847e7a90ac96da2993c052ba630d7

SHA256
d4fdc90f2a749f5572e7aaa561c69a3790310eb8a0cca5ce7d9236e4597118de

SHA512
af57992785a5d18c69d46e5712afafa70db8f54404f77b301905c1b14914885c0ecd07fa9561c96df86ac9563910bb24adb5813842c5e11c6334cc6a72ce5207

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckYE.exe

Filesize
1.0MB

MD5
704ff190f6ee24fb13b9cc7724309cf8

SHA1
8619f3bed0a721266c02b691ad315f5cef38b9f7

SHA256
82ad29c15e773a9509efb56514ae02c8b973d91ac11463a8140806a7158ca356

SHA512
705efb3bfb6e32098da7a37739c1a5d6a3d67a89a97e08194a41d5f94e0d0974e5a30ba530a5b39a020939d9f899466275a43bbf39ad2da41e62066318e01483

Download Submit
C:\Users\Admin\AppData\Local\Temp\dkkA.exe

Filesize
440KB

MD5
cfebff7910d62c2f8800d2f32c62bde0

SHA1
47c4e157b93e753901a6bdf55701380f1a9ffea7

SHA256
82aafce9dca4a8238c2ec4053a5ca614fc3eb2dfd33856fc617261b31eaedd42

SHA512
193e87aca7d47b57acaee1a8c018105d7d9fd2307872774997ae6ecba9be668b6604a1e09e7e1aa838d78367c4b2034ea374edbb86103d6a5991fc2e90ded133

Download Submit
C:\Users\Admin\AppData\Local\Temp\fIQm.exe

Filesize
5.5MB

MD5
95442e21c09cb6e13a99ff597d15a9ca

SHA1
3c20ed95cc37d83984970b7e2ca100b0d2453c78

SHA256
86a088760d64beea70770589815129ec47e2073e3434c5306735d9f89e6d8d46

SHA512
18767671f6beecdc7aa8ac88b8830bf849691d499d486ef04823eb5aa59a0ea78c6c10385096f9990c3f32ab7ad691bb1064e1aaf319ba96b7cd432e55816d24

Download Submit
C:\Users\Admin\AppData\Local\Temp\fQge.exe

Filesize
435KB

MD5
0f2fb2b61cfeb5f71a4fa1f81ed877bd

SHA1
448318a58706c260a1f677bfc19f59c8f98f1e0d

SHA256
f937c7e0bb71188f7d14717d3d497712a49584d5d08688e6b7b0656f856b3595

SHA512
796d25e3c2eaa14fffd1cb6042c0b55dda6f8e61e353d32fb79717bb21bff4e4ad7bab7ee0e8340049f4bc9ecc01ffd68c23b9b3b94b09f4055b116f84c9d826

Download Submit
C:\Users\Admin\AppData\Local\Temp\fYoi.exe

Filesize
437KB

MD5
8015858527cbb932a992ca7bbbc6d143

SHA1
e287a41117ac38d54376da6571a607955c986661

SHA256
f4a4faaec74fb9c0d754f5a286c1f168aa5dfdd70fc427f98bb11eaf94cad49d

SHA512
022bad2c14f7d46e34e608202d586b47346d1adae8d12808ebf976fe5de3a0950c4cbdbda82e62a5825f9aa0b152411cbceebe5f48f8016a9da89ac9b3b40578

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gUkS.exe

Filesize
441KB

MD5
114f91ebb9412719e82bff3f4df775e4

SHA1
a02f1c84e621e34958625cd2f52a756242def1d2

SHA256
403c77dda58f2b585d09ae63586882454ab5f2407fa9de9eaf691880434ebe22

SHA512
6426ab6c8e8a35a0e02c0106332c0dff073de9dc6a3c5ac4f301af045c642be1f462925100853965e215c77aeb46a0a969ea47a18c2b26d456420a5ff0cbbeef

Download Submit
C:\Users\Admin\AppData\Local\Temp\gsgQ.exe

Filesize
721KB

MD5
435eac38dd49e4f857cfb42a44201b4a

SHA1
59bfe69316006826d0ea55a8a4c090040d502a7b

SHA256
8bf0c501adddec6802f94015a3944e6dbfd73e054aec3c0f0759244c430d312a

SHA512
fabe8ff98507df2ba18036d0750b3638e4862ec27baeb27bc0785bcf5fc9ee5788364454843d3c25361305b8a484b4642d9f79241f878a588b96b6b37c7d5772

Download Submit
C:\Users\Admin\AppData\Local\Temp\iWgM.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\kMcq.exe

Filesize
1.0MB

MD5
36c9470f3ba41ea112fe3754e5285015

SHA1
4edbad1c7c1a15db0d23603a20ec5a2f493064b6

SHA256
416c87012cf9a4a257e6570b3bc6de7759328b30183dc501ae9947517fb79d48

SHA512
99f663a9c2e69f5b43f31fba19bd404b22afe4a0da4519ddd6bf6c301ef62919b517a6c562d79694a2544b0e72e8d0a7d2b268d52f0ab3023a63d71fb4ed9eaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\kUQO.exe

Filesize
435KB

MD5
fba9700b44b3567ea78a8c4c17dbf65d

SHA1
1a8cd2a6b66325203d3804d61d651b2dd940628a

SHA256
f9c9e8efbf24676530e649fb10364f86448c482510bae369a9e540b615f1f266

SHA512
c84ab4933061c3934b5b7bb1ef2cf71ced004b051fb2b511b2b01311d0b0419c262249f7e4d42e5c00f5a106e65fcc1fe9932c7fed9fd4664486ffa064229c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\lMQo.exe

Filesize
453KB

MD5
0f9cbb28d877e2a2e344d626177711e1

SHA1
2cbb0857d7cedf8ea4e63e68d5fcf288996dc5c7

SHA256
f0cdc471ab84085e15a6e612e902c2d8348d558be63eafba9f2f8a3e88ffd392

SHA512
4fb23639f0ecce45fc0c1271d14a204ff65852ff810c7e2f1bebbab93665c67ea5729f1e18ba863dc11209eeb9ad29683d2c7dc649366d51f979f221991b8291

Download Submit
C:\Users\Admin\AppData\Local\Temp\lYwy.exe

Filesize
446KB

MD5
667b84adf3d4df6a575169ab65e99874

SHA1
8244df2371693c614964a9aca8be624e66424df2

SHA256
dc6db5de3b3ee793fef0c12f6b6e8500d3a2e5d6551a52e9b28d14a6fdfb0ba1

SHA512
32e31ae75bcb04bdb4324c6aa1b0e288f54e773704efec9942d44baabecc499a7276e7d86993cd82496c58472d792bec9eff36f14f884e3b83834d0161e42ecc

Download Submit
C:\Users\Admin\AppData\Local\Temp\lwMW.exe

Filesize
439KB

MD5
fa95d7c99371cfd3a67d704dd9cd6c73

SHA1
a5e658717d2159f58b6083d4be6c883edb83a9db

SHA256
a70c64001b70d7255d7112245c690216ea31fcff48aeb0799adaaa1515ea2424

SHA512
c0d612154a28c6f4f8abfaa4999ae73aecc95783ad67d21e2dcd741fababc6b04828a6892879cfb16b7edfccd26c10cd64e02a6fe8cddc88847e451b844c3340

Download Submit
C:\Users\Admin\AppData\Local\Temp\nEgK.exe

Filesize
561KB

MD5
50e0b8b17d45a4017ff0e9997b618c84

SHA1
b5e102083dffe97ea86e23a2612e58e3be00e402

SHA256
72d7376cbde8637b588e717ba65f267c7a91f49e166721a3586f957fe5a06974

SHA512
1a29cf4e42b1b57e411e77945caa33e98d5c98afa605267930a74639c2ab0670dc26b6561393e318cc6ba63b4b3aba0cd807a9e6a459b79e1e48a86546bad140

Download Submit
C:\Users\Admin\AppData\Local\Temp\owAY.exe

Filesize
437KB

MD5
3e911804b26f9d28f3580e0bc41ed5f5

SHA1
c6e4871bf6f9143ca751b05999526d2f4ceca0ec

SHA256
5b32faf7370774823327136056e93e3c43198808d3d57380d3f21c8299085853

SHA512
0aba853a79ce000a56ada0107d22bb491f3160d6efb79733c615988523a44c829286b3e99c869efb2f987f17417d3c84fac850951ff794a9ec647a11c348b3eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\pAkM.exe

Filesize
437KB

MD5
073b895d3d602dcea5493fc8ba13667d

SHA1
2ad4e66aa4b897f6b0953e03f4f57c8d4c618d29

SHA256
f55aff24c1efa258c69d0df154ba1bb85e4dc44db28c4c2c05ddb401a4cea64d

SHA512
89f7463d7d26613706ee848b3559274b920e412d04df9e8a01cd8b2c6e8a981d4e8c02dee437b6eb839ddcc03b6edc66932c3fadfc0c1e03ed90dab5242341c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\pUcu.exe

Filesize
476KB

MD5
5fad3d2f94f2f9866ebc5c8edbcfc1cf

SHA1
c77bb7ed04feaeeb11104352f264560e2ab99485

SHA256
0f9a682a7b6b04758813e2945a09558000db1301bd3c18ea05c246367c87c42f

SHA512
39f83a5a1da2bb5ce2726cd93f6aaa3e77b7124a65966ca48be1aa624b5cf6678f9922f4bbe8c48884974d95b2c448293be3c7f458164fbf87789f825be3a265

Download Submit
C:\Users\Admin\AppData\Local\Temp\psIW.exe

Filesize
436KB

MD5
8e2a5e5856808ae320d65723cfd2cff6

SHA1
2fcb060ea16cde3f96ab11084b6d7c4c931e246d

SHA256
5ea3c74f88d7d6e091fb4c0d08d6a288acee6404c5e3c7ba5f157ac77ae1e81d

SHA512
29b9898a265f9282e9bc77aefd07480e7cd623e6a336992b486aa0176538cbcf4f742ad30a24602c456725646fb2ec4e279b0855088e0c7a803c68f92f1000a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tEEO.exe

Filesize
1.2MB

MD5
9bdd99b34ed1b0ca45568677933d8b4a

SHA1
c4932cfcf3d512a2d74d0b73cce26880ce942ebc

SHA256
eca27167d940344da2de00d5692c4d99fd495a14f4a4e7ed5dad214fd34aaba8

SHA512
87496d7dcd1cd0452686fd3c24fcd05562739eba2c80c0f26cfa9ad17c44d64bfe48643e74de738f41b598eca57d1c8df36b31eaec92815b33b732cb5eabde13

Download Submit
C:\Users\Admin\AppData\Local\Temp\tQAe.exe

Filesize
439KB

MD5
3146e58fd82b2d30dce7bb112e48ccf3

SHA1
8296b2cb5a1b66dc30c9c8ee30e0f1c3c47c77f4

SHA256
1eaf08018a2cb1b609a65cb92c3c5702452318625de59e424f863e250664c7cd

SHA512
70749d3ff2e9a4b089e3dbdfecc5940427bfe6adf282596fe394402070c10c5b764425d4fb94eda7cde4f669e4fca31041f9bb81ee3844bc5631fc60fadbd834

Download Submit
C:\Users\Admin\AppData\Local\Temp\vUMm.exe

Filesize
436KB

MD5
32df941e3e5b115b86fa541bd3840d10

SHA1
b4687d258233ab13f57fa32fde6447728591dce2

SHA256
1d08e3797931aaf5d9eeddc13f462d4029199044045feb0b78ec8fea62a6c163

SHA512
810e7fcac48d8bf656d389cb8327e9ec11210357a04f9fe7db09d23e5d2ef05f619c78594d404a89414e045493f9e3666df07ae6dfcd03e7c7cd454c4affcabe

Download Submit
C:\Users\Admin\AppData\Local\Temp\vgkm.exe

Filesize
438KB

MD5
acee563dc485d54e21d91a024535c28f

SHA1
16163c6976541c8b833285d60671b37eba7f6886

SHA256
462f6a07424232e12ab7a4457e5064a80d1e6344bc1a354fd1ff58081078514b

SHA512
590587c7a68394d545eb715131c09e724aaec03d93623782568dd6a7b96664c40ca369188f4fef1bc6c20f90cce6845f11deb3e5674a913dc7370e608015a0ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\vsYW.exe

Filesize
440KB

MD5
51f706ccb74f25a3fd55c3bbd0aa2a06

SHA1
461fc158564853458d87a3feebc966e995adf70c

SHA256
f0bae27c2ed5ac70c46ffe091adc13d32a08083be6bd29147ff09e9b7670b628

SHA512
0c682b0230e7561e55a5bde28b24993222e2a56214c5a88c9084b9959300f21d7e25b154019f6d6eba55d33da1bf302426b44bbd11353a2ba2d6b0d9e0bbc45b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wEcO.exe

Filesize
434KB

MD5
2252d076babf05c525dab7d1105f4d29

SHA1
7c80698826686c49ce60b7eb692cf2b426d45f61

SHA256
aca9feeebe2012b6f198afe5d9d6a17b26e8d9693df31bb9e6f8e959dbe74109

SHA512
4d881640f127f686d0e6d8040c38aa5d98ba5d7ccdbaf3c929e303c915c70d4548cdf63c2f7c260dce4e36a7d1ffd117a96b90fe206a2c19ec9789351065e777

Download Submit
C:\Users\Admin\AppData\Local\Temp\wQMk.exe

Filesize
464KB

MD5
5c539914207b664c000b168145e659d4

SHA1
164bf054a9af7af0aee0e14e9050c06b41baec7d

SHA256
deb9c1c878e8b23d49aab452833f61d4198e4e4f718338bd70156edaa01b45b7

SHA512
141e5176e41dd248579583a1d65a43159c648a1567257a6e9726a37dfe141c5bf384fb88af3081c475a9989b69d5326046cc249887c83379693aee9d460bbcbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUEA.exe

Filesize
880KB

MD5
53c36625ec5034c9d3896c8d0ac1cb19

SHA1
d70a6eb995fe0f5d1cb25e3eed7e44c380c97b1d

SHA256
2a5d38a0e6f79bbbfa40b8f93f77d798d3ea38e7a7f9bce5d3320945f070462f

SHA512
92c9a6669757d4896aa6daaac7c92ce69b42ca0972fc599f559bb02dcf50b9dfe296a7f4b68c3f18a36f0e9ef163fb16dfd33e713a1273f97f213ea6b06fd3ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\xAcK.exe

Filesize
439KB

MD5
59ec60a752dbb8d11e0f6fc8a4d514f8

SHA1
29d52a9f36f36018163b96fa88690a3de3cbccef

SHA256
07fbc2fb55189181364ebe572ce3b057da2d5c1c6b89626beafce18ed02182a6

SHA512
9d38cde1fe5f617c73a49e4d6e987634af9404295f90b239180698c8f3c09e54a4c48b637046f42cd612e99b7c51049fa36e92bcfe657e1301a68828b8bce53e

Download Submit
C:\Users\Admin\AppData\Local\Temp\xwAG.exe

Filesize
441KB

MD5
115876810491f9e3d2a7c18d9f1dd767

SHA1
a37b8bba12a467a120f0c68ca836801f4413b416

SHA256
44ff107e05e2e9390ed7c556b0497b01a133f5a290a8e9694c045caf945449d4

SHA512
215c7e7ea4eb59881ad0f4a1e0db0f046ef0c58a26efcd75dcec359de546ef736992aa242f01caf9009961adcb0b1b32c9b7a0bd44b7acd12b4fe0a6f1c8f238

Download Submit
C:\Users\Admin\AppData\Local\Temp\yagogEoM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\zkkA.exe

Filesize
437KB

MD5
0e711b7e14afc0e9ce7057c97fdd02f7

SHA1
f6d27023018cc499c4d55eb89ca750e6315861bf

SHA256
07cfcd080e8c854e9fb4ef6b93c0921cf93620e4e21a44360539d1db85808649

SHA512
355c8860654dcc93fe9a555f2bbc55e91ea02686a909d4370f2b2ec8cfe6c120575f6b248d29839f86a3c27ff560059284bc2a7f0280bdbae5f03da22ae3f223

Download Submit
C:\Users\Admin\HisQIsQc\MuQQgEcc.exe

Filesize
430KB

MD5
8c0c6703bd964a777c361ebfa564fde7

SHA1
b249866493090127f3f3e3ef63b27744454d50f5

SHA256
7038ba01c8dea7b6243b7c1b2f7b03cdfeff2d09adb60a308b6a42be4069a233

SHA512
b5499879bb0ec789ce3194048949ebb4fc16c7acb8718f25e5f5a4d6640b0e175506312d9870a1299040b095b62d348cd80ec9e781a266d771ac67f33a7fcc28

Download Submit
memory/372-42-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/372-53-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/396-158-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/396-168-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/624-66-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/624-58-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/724-0-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/724-77-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1328-296-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1328-277-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1376-1120-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1376-1146-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1584-261-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1584-222-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1608-480-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1608-505-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1812-757-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1812-790-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1872-646-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1872-670-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1948-1180-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1948-1188-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1968-184-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1968-198-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2292-17-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2292-116-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2776-86-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2776-78-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2880-614-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2880-578-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2924-41-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2924-31-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2936-703-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2936-724-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3196-181-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3196-172-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3460-117-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3460-128-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3472-12-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3472-102-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3908-302-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3908-342-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4164-115-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4164-103-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4216-6-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4216-90-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4280-101-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4280-91-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4468-999-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4468-964-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4500-1041-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4500-901-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4500-870-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4500-1078-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4500-1179-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4500-1172-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4600-385-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4600-436-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4700-30-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4700-22-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4856-826-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4856-809-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4892-76-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4892-67-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download