b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4d

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17/10/2024, 18:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
Size

4.3MB
MD5

5ce75f67cca52efab0ca5b392f5f1f30
SHA1

ecebb896498d119bd0939fb865430fbb09f57e9b
SHA256

b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4d
SHA512

e6d19e23f1a8b51fc2f218c6882ff5ec5f624fd18ee4eb2c094ba65901c3b3e68700134ffe74d96a3713ded2000957cabc22c6fb5595d2cd7fce18f08973d933
SSDEEP

98304:62Zp7E72G3WhljEY2MFk/cBLQKU8Yin/iuLzJQrl:9H7EiG3WhR2MEcGKLYinDLzJEl

Score

10^/10

discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 17 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 17 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (52) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	euUsAUMk.exe

Executes dropped EXE 3 IoCs

pid	Process
4280	euUsAUMk.exe
4812	ckckUUwA.exe
1624	LicMYowc.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ckckUUwA.exe = "C:\\ProgramData\\GqUMkUQg\\ckckUUwA.exe"	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\euUsAUMk.exe = "C:\\Users\\Admin\\XAsUswAQ\\euUsAUMk.exe"	euUsAUMk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ckckUUwA.exe = "C:\\ProgramData\\GqUMkUQg\\ckckUUwA.exe"	ckckUUwA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ckckUUwA.exe = "C:\\ProgramData\\GqUMkUQg\\ckckUUwA.exe"	LicMYowc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\euUsAUMk.exe = "C:\\Users\\Admin\\XAsUswAQ\\euUsAUMk.exe"	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe

Drops file in System32 directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\sheImportInvoke.docx	euUsAUMk.exe
File opened for modification	C:\Windows\SysWOW64\sheInitializeStart.mpg	euUsAUMk.exe
File opened for modification	C:\Windows\SysWOW64\sheOpenTrace.xlsx	euUsAUMk.exe
File opened for modification	C:\Windows\SysWOW64\sheRepairFind.xlsx	euUsAUMk.exe
File opened for modification	C:\Windows\SysWOW64\sheUnregisterShow.docx	euUsAUMk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\XAsUswAQ\euUsAUMk	LicMYowc.exe
File opened for modification	C:\Windows\SysWOW64\sheCloseTest.gif	euUsAUMk.exe
File opened for modification	C:\Windows\SysWOW64\sheConvertFromSync.pptx	euUsAUMk.exe
File opened for modification	C:\Windows\SysWOW64\sheLockConnect.gif	euUsAUMk.exe
File opened for modification	C:\Windows\SysWOW64\sheSaveImport.bmp	euUsAUMk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\XAsUswAQ	LicMYowc.exe
File created	C:\Windows\SysWOW64\shell32.dll.exe	euUsAUMk.exe
File opened for modification	C:\Windows\SysWOW64\sheDisableRevoke.mpg	euUsAUMk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	euUsAUMk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 51 IoCs

Modify Registry

T1112

pid	Process
4184	reg.exe
4880	reg.exe
312	reg.exe
2628	reg.exe
1968	reg.exe
2336	reg.exe
1780	reg.exe
4824	reg.exe
832	reg.exe
3416	reg.exe
1476	reg.exe
4348	reg.exe
1852	reg.exe
5072	reg.exe
5064	reg.exe
1896	reg.exe
3708	reg.exe
4100	reg.exe
464	reg.exe
3520	reg.exe
4688	reg.exe
3012	reg.exe
928	reg.exe
3364	reg.exe
4452	reg.exe
3828	reg.exe
3792	reg.exe
380	reg.exe
3432	reg.exe
2528	reg.exe
4200	reg.exe
624	reg.exe
2136	reg.exe
3848	reg.exe
2284	reg.exe
976	reg.exe
2072	reg.exe
2316	reg.exe
2172	reg.exe
1840	reg.exe
4916	reg.exe
2524	reg.exe
1628	reg.exe
4420	reg.exe
1992	reg.exe
2040	reg.exe
4472	reg.exe
4492	reg.exe
4440	reg.exe
4104	reg.exe
956	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4920	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
4920	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
4920	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
4920	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
4104	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
4104	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
4104	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
4104	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
2920	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
2920	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
2920	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
2920	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
2748	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
2748	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
2748	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
2748	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
228	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
228	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
228	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
228	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
4520	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
4520	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
4520	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
4520	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
2100	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
2100	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
2100	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
2100	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
3444	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
3444	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
3444	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
3444	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
5068	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
5068	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
5068	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
5068	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
3928	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
3928	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
3928	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
3928	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
1868	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
1868	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
1868	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
1868	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
4940	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
4940	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
4940	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
4940	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
116	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
116	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
116	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
116	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
4980	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
4980	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
4980	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
4980	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
2480	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
2480	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
2480	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
2480	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
3200	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
3200	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
3200	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
3200	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4280	euUsAUMk.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4280	euUsAUMk.exe
4280	euUsAUMk.exe
4280	euUsAUMk.exe
4280	euUsAUMk.exe
4280	euUsAUMk.exe
4280	euUsAUMk.exe
4280	euUsAUMk.exe
4280	euUsAUMk.exe
4280	euUsAUMk.exe
4280	euUsAUMk.exe
4280	euUsAUMk.exe
4280	euUsAUMk.exe
4280	euUsAUMk.exe
4280	euUsAUMk.exe
4280	euUsAUMk.exe
4280	euUsAUMk.exe
4280	euUsAUMk.exe
4280	euUsAUMk.exe
4280	euUsAUMk.exe
4280	euUsAUMk.exe
4280	euUsAUMk.exe
4280	euUsAUMk.exe
4280	euUsAUMk.exe
4280	euUsAUMk.exe
4280	euUsAUMk.exe
4280	euUsAUMk.exe
4280	euUsAUMk.exe
4280	euUsAUMk.exe
4280	euUsAUMk.exe
4280	euUsAUMk.exe
4280	euUsAUMk.exe
4280	euUsAUMk.exe
4280	euUsAUMk.exe
4280	euUsAUMk.exe
4280	euUsAUMk.exe
4280	euUsAUMk.exe
4280	euUsAUMk.exe
4280	euUsAUMk.exe
4280	euUsAUMk.exe
4280	euUsAUMk.exe
4280	euUsAUMk.exe
4280	euUsAUMk.exe
4280	euUsAUMk.exe
4280	euUsAUMk.exe
4280	euUsAUMk.exe
4280	euUsAUMk.exe
4280	euUsAUMk.exe
4280	euUsAUMk.exe
4280	euUsAUMk.exe
4280	euUsAUMk.exe
4280	euUsAUMk.exe
4280	euUsAUMk.exe
4280	euUsAUMk.exe
4280	euUsAUMk.exe
4280	euUsAUMk.exe
4280	euUsAUMk.exe
4280	euUsAUMk.exe
4280	euUsAUMk.exe
4280	euUsAUMk.exe
4280	euUsAUMk.exe
4280	euUsAUMk.exe
4280	euUsAUMk.exe
4280	euUsAUMk.exe
4280	euUsAUMk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4920 wrote to memory of 4280	4920	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe	86
PID 4920 wrote to memory of 4280	4920	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe	86
PID 4920 wrote to memory of 4280	4920	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe	86
PID 4920 wrote to memory of 4812	4920	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe	87
PID 4920 wrote to memory of 4812	4920	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe	87
PID 4920 wrote to memory of 4812	4920	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe	87
PID 4920 wrote to memory of 5060	4920	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe	90
PID 4920 wrote to memory of 5060	4920	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe	90
PID 4920 wrote to memory of 5060	4920	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe	90
PID 4920 wrote to memory of 4200	4920	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe	92
PID 4920 wrote to memory of 4200	4920	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe	92
PID 4920 wrote to memory of 4200	4920	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe	92
PID 4920 wrote to memory of 4492	4920	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe	93
PID 4920 wrote to memory of 4492	4920	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe	93
PID 4920 wrote to memory of 4492	4920	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe	93
PID 4920 wrote to memory of 3828	4920	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe	94
PID 4920 wrote to memory of 3828	4920	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe	94
PID 4920 wrote to memory of 3828	4920	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe	94
PID 5060 wrote to memory of 4104	5060	cmd.exe	98
PID 5060 wrote to memory of 4104	5060	cmd.exe	98
PID 5060 wrote to memory of 4104	5060	cmd.exe	98
PID 4104 wrote to memory of 3096	4104	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe	99
PID 4104 wrote to memory of 3096	4104	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe	99
PID 4104 wrote to memory of 3096	4104	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe	99
PID 4104 wrote to memory of 928	4104	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe	101
PID 4104 wrote to memory of 928	4104	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe	101
PID 4104 wrote to memory of 928	4104	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe	101
PID 4104 wrote to memory of 3012	4104	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe	102
PID 4104 wrote to memory of 3012	4104	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe	102
PID 4104 wrote to memory of 3012	4104	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe	102
PID 4104 wrote to memory of 2172	4104	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe	103
PID 4104 wrote to memory of 2172	4104	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe	103
PID 4104 wrote to memory of 2172	4104	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe	103
PID 4104 wrote to memory of 4940	4104	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe	104
PID 4104 wrote to memory of 4940	4104	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe	104
PID 4104 wrote to memory of 4940	4104	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe	104
PID 3096 wrote to memory of 2920	3096	cmd.exe	109
PID 3096 wrote to memory of 2920	3096	cmd.exe	109
PID 3096 wrote to memory of 2920	3096	cmd.exe	109
PID 4940 wrote to memory of 4672	4940	cmd.exe	110
PID 4940 wrote to memory of 4672	4940	cmd.exe	110
PID 4940 wrote to memory of 4672	4940	cmd.exe	110
PID 2920 wrote to memory of 2740	2920	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe	111
PID 2920 wrote to memory of 2740	2920	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe	111
PID 2920 wrote to memory of 2740	2920	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe	111
PID 2920 wrote to memory of 3416	2920	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe	113
PID 2920 wrote to memory of 3416	2920	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe	113
PID 2920 wrote to memory of 3416	2920	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe	113
PID 2920 wrote to memory of 1628	2920	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe	114
PID 2920 wrote to memory of 1628	2920	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe	114
PID 2920 wrote to memory of 1628	2920	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe	114
PID 2920 wrote to memory of 4880	2920	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe	115
PID 2920 wrote to memory of 4880	2920	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe	115
PID 2920 wrote to memory of 4880	2920	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe	115
PID 2920 wrote to memory of 4044	2920	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe	116
PID 2920 wrote to memory of 4044	2920	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe	116
PID 2920 wrote to memory of 4044	2920	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe	116
PID 2740 wrote to memory of 2748	2740	cmd.exe	121
PID 2740 wrote to memory of 2748	2740	cmd.exe	121
PID 2740 wrote to memory of 2748	2740	cmd.exe	121
PID 4044 wrote to memory of 2316	4044	cmd.exe	249
PID 4044 wrote to memory of 2316	4044	cmd.exe	249
PID 4044 wrote to memory of 2316	4044	cmd.exe	249
PID 2748 wrote to memory of 2264	2748	b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe	123

C:\Users\Admin\AppData\Local\Temp\b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
"C:\Users\Admin\AppData\Local\Temp\b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4920
- C:\Users\Admin\XAsUswAQ\euUsAUMk.exe
  "C:\Users\Admin\XAsUswAQ\euUsAUMk.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:4280
- C:\ProgramData\GqUMkUQg\ckckUUwA.exe
  "C:\ProgramData\GqUMkUQg\ckckUUwA.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5060
- - C:\Users\Admin\AppData\Local\Temp\b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
    C:\Users\Admin\AppData\Local\Temp\b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4104
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3096
    - - C:\Users\Admin\AppData\Local\Temp\b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2920
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN"
        10⤵
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN"
        12⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN"
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN"
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN
        17⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN"
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN
        19⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN"
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN
        21⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN"
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN
        23⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN"
        24⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN
        25⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN"
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:228
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN"
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN"
        30⤵
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN
        31⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN"
        32⤵
        
        PID:4188
        
        C:\Users\Admin\AppData\Local\Temp\b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe
        
        C:\Users\Admin\AppData\Local\Temp\b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN
        33⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN"
        34⤵
        
        PID:624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        Modifies registry key
        
        PID:4184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CoUYYYUQ.bat" "C:\Users\Admin\AppData\Local\Temp\b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe""
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:5080
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        35⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:2056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4688
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        33⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\caQUkoIY.bat" "C:\Users\Admin\AppData\Local\Temp\b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe""
        32⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:2440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:5072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        Modifies registry key
        
        PID:832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WKosMskk.bat" "C:\Users\Admin\AppData\Local\Temp\b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe""
        30⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:1288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qOwsUUQU.bat" "C:\Users\Admin\AppData\Local\Temp\b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe""
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:5020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        Modifies registry key
        
        PID:3520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bOsEcgIs.bat" "C:\Users\Admin\AppData\Local\Temp\b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe""
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:2752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:1460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        Modifies registry key
        
        PID:4472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dqkgEEMo.bat" "C:\Users\Admin\AppData\Local\Temp\b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe""
        24⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:5068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        Modifies registry key
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mOwEwcMI.bat" "C:\Users\Admin\AppData\Local\Temp\b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe""
        22⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        Modifies registry key
        
        PID:4452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sMIQIwEc.bat" "C:\Users\Admin\AppData\Local\Temp\b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe""
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:4996
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        21⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:2628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JScskkEQ.bat" "C:\Users\Admin\AppData\Local\Temp\b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe""
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:1388
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:4584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        Modifies registry key
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FKEAAoEQ.bat" "C:\Users\Admin\AppData\Local\Temp\b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe""
        16⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        Modifies registry key
        
        PID:4348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sEEUQcMU.bat" "C:\Users\Admin\AppData\Local\Temp\b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe""
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        Modifies registry key
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wMQEEoQg.bat" "C:\Users\Admin\AppData\Local\Temp\b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe""
        12⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TSwgwYoo.bat" "C:\Users\Admin\AppData\Local\Temp\b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe""
        10⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        Modifies registry key
        
        PID:4440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        Modifies registry key
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pSkwMwAM.bat" "C:\Users\Admin\AppData\Local\Temp\b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe""
        8⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:4148
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3416
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:1628
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        Modifies registry key
        
        PID:4880
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QwwAEoEM.bat" "C:\Users\Admin\AppData\Local\Temp\b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe""
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2316
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies registry key
      PID:928
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:3012
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:2172
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oIswsUws.bat" "C:\Users\Admin\AppData\Local\Temp\b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe""
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4940
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4672
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - System Location Discovery: System Language Discovery
  - Modifies registry key
  PID:4200
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:4492
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:3828
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NokgsAgA.bat" "C:\Users\Admin\AppData\Local\Temp\b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN.exe""
  2⤵
  PID:4492
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3332

C:\ProgramData\HKEcYkcw\LicMYowc.exe
C:\ProgramData\HKEcYkcw\LicMYowc.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\GqUMkUQg\ckckUUwA.exe

Filesize
432KB

MD5
b297069a163e639b88f27389bc9e05b0

SHA1
2d216e666c10530fa7bdf295a5ed22ad53f898b6

SHA256
ef76954b00e14da1caf8a5a9629df1912a5a521c1b81fda0658f604bf70154d8

SHA512
1015759a375451e62238275eb9edf893c246a250e0f591d4170e6692edcee87ea69e29cc1febbf699091a3fbc7782504aae5db26b9f56a87225632086d39bdc3

Download Submit
C:\ProgramData\HKEcYkcw\LicMYowc.exe

Filesize
437KB

MD5
ddfb0ae2741c078ab9894e09fe9e3de9

SHA1
af0babfdf9140d691bdad4eb736631dcf2bcc1b8

SHA256
a1b222dec341ac6f2e535f994d84c75eb02af92c534f90661c5c2ef57c838bdb

SHA512
7d171408770ca51fff51db29fa1e771713f1f4e1a09e59206a9a14072ad8aa12cd6446176807985c7544764fa0353cdefae1c3e4e6971f9fd6a99c2d31a0f2fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.png.exe

Filesize
444KB

MD5
3fe98bc8ceb924147fb7e2c5340f45eb

SHA1
7f0dd06f829f425ceac98f0e4e573433b2c74148

SHA256
a900317d88a463450a65e9908f7cfeedc4816f3e4d8e02983c8e33739cb440f9

SHA512
46c0a8a9056790f15ccf54c75a836d4f786699da8a7d361c89ae0c66844983d8ccadee252a8a194d4e65846b38e6298a4663c141aa6ef5f1039c5df203769acc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaNearing.png.exe

Filesize
437KB

MD5
4b1ade859749a68f83f7364943e7c3b6

SHA1
8b435108b89559f6378c7e941b254f8e85bdf844

SHA256
b892ac4929b9e755d1a4dee1185ea65f1ef380cacd281609a52a9f619b47a622

SHA512
ea08e2ffd3276a9a08dc4a4fb0f172afc83eb3cefe2962d71923224b04028b918909a5d72d6a413a7f7f6396608033c2bc21c4f43a86aeccb559498c040b5729

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-400.png.exe

Filesize
435KB

MD5
6c65c39cf2f7fff706b4fc6b3c437eae

SHA1
39104fea39e2256c07a82574d4c051f6d75c14ca

SHA256
cd478a5d2714192511a727b13db0d32cbec9897e168531c2ef87f59cc4e8cda3

SHA512
ca8b2f845c1d085bf132cbd3835ab078ddb34a9a8c869ef6b783a527a21411d5ee392015159840d46da3b8e6157128920959ad64493446e3e6eea7033eb499e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\AwcE.exe

Filesize
556KB

MD5
8b6005e902c86cfb05d9f8797e56c0d7

SHA1
3b8758f230ba59233d95077fe6376177742664b6

SHA256
6fc200992fb68ec6e81ec9b4915534ca5e99bc32c275095b400c6254612ee295

SHA512
05bda31069b66a03e81f5460fd611fc36643bb8435f255473f4241eafc3ee2e62cad6b06d6262e84d580ebe546d8376a75d26a928ce2064bc886010b0632e800

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQoc.exe

Filesize
436KB

MD5
4121cf6ada64e1927739884e6f177571

SHA1
1566a91e8ab55e312d167b97a75055cf6421eb2c

SHA256
0043612aef5cfc982d79f47b360234d8bf61d155474d0959c6aa5693ff7f972d

SHA512
ea0bac80d4df46287107bce368395812eb331638dfc3c90c310cd681a459a95f06bb5c16a166b2533e621fa23a435f6d44c87f7910608b68e51033c88a92f18f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CYEk.exe

Filesize
1.0MB

MD5
830de298c26ecd13f65415a621288a4b

SHA1
f17ff0abb5d996c712d64c2a729ba81d40200b85

SHA256
730fa6f59f068f1d96b9a142f1ddab807b39d49193fcfbbe9a634d90023a0697

SHA512
4843ae1e2de3484ce275ac27150e1a0a1177b3a705626ff3cb368a39b37cc8fc236db4e271e75012c75fa44046122a463801f6f2b8540850c0170936d2a433a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\EgAG.exe

Filesize
448KB

MD5
c41578647ccc364018c2b56323a8f7b3

SHA1
851c1a5f3b5259351dc07c5fdb4e94ae391e8d54

SHA256
beba6128c4da8acb382804b2d5ff5ff139724bc42a605791e256aae4486dc8dc

SHA512
abb717416cfb2bbd44d32f5e250890dfcde54913fb66c67a019beb468d1cdbc6470075a5605a34722b66224119150139613647e0055a274ee46cc8a847fad18c

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEEG.exe

Filesize
437KB

MD5
2797a097eb78ddbc18c13e465dec133f

SHA1
454d8a0c062bbb8037d0e62c643a14bf75fc00f6

SHA256
bf33ceb8f3c5eec7192015f4b2af60aef9e2993621149f45660ec1f9a6c73e2f

SHA512
43224d2675a586bec9f621b45d6bbfd795c9a98bc148d0b01cc44e764f7f9822f9ed3c0b9259395aa7e04a1efb6e1147fa638bbd77ff3c86b918162911ecc712

Download Submit
C:\Users\Admin\AppData\Local\Temp\GIEs.exe

Filesize
439KB

MD5
53e04ea65dd856569f0057101060328f

SHA1
5dac0fbd3428c23900ea9f7a6c1df6ef37dd86f2

SHA256
55ff5102e4bd5b0406a6d8652fd89c2e3ac4ad8668a77a7c7db2aedf2b1025d8

SHA512
c208cadd4b3724f534a2421977c1fcb25285c2d3b45eb229e1a3fd231ca563b35ae702bda1b03b4236cfdb5e1bee72b1f3b234a44120a7da88e415699cf430d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\GIwU.exe

Filesize
442KB

MD5
95cb9694689d71f0f2f4391e99056f25

SHA1
f30fc85deb1dfd5f6c1c7933d1c1dd41fe3c6627

SHA256
f3c7c6fe3658a2e0815942800f5be61ce91e87a5538cfd64a9c2da01871cf7f7

SHA512
28fcea29b5b67df979785c157c395be8a91bdc6eb33bf7cbdc97a0b04b4d11e5bcd83622f159f3791e4be3b7fe84234f52908c8a416202d9e20dd4c6103824d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\GYkw.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\GkgU.exe

Filesize
461KB

MD5
5a19eceeab652f7a4ffb8131d9ff4bb0

SHA1
e51012948fc1863d106810204588ddcb4ca22b11

SHA256
e20b83713b56ce18cf7dc849e1369680cc57e71858e9ed4de6860a3bb06eef9d

SHA512
504a0a4aa678d11e809afbc478950930770f654bf6d07eda49ef5cdd025382f018d16b01b0d25399dc07f8851c128b3c5150634bf2b78e1d3e3ad2dda6ef6ecd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIoO.exe

Filesize
1.0MB

MD5
18be1d6a49afec5e9df1d6d84d3215d7

SHA1
eeea22e85ebb8ebc60e3901481953873f0f048af

SHA256
1d83b9ceca55508a5a5713165ac2557d9aa4def6229a7739a8ff89fa3a27da87

SHA512
893f0fe55e370bafb2b5b98f27384ff46d4a598bc341d93a7b86df901ffaaebc447fc3b0c9cec99e164d22f7d3ecbc9a0c874605112f7ee364eb9f5ea0e4db86

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYck.exe

Filesize
442KB

MD5
4c234523fa44bd27b6fb75301f8d5bc2

SHA1
8bba33fc2718f576d1fcd065508ff10816b9cef0

SHA256
98cbaac67eff4d0da7806574e474c56a3c6f95cd921d2e29f041effe1dad31c0

SHA512
5aedc928be71f5343e26243617e3947c68b6ce71d36a1bbbd966aeafc3c96101d89f513d195369d7adbd8fbd1b080095dcc9368c12624bbc1a5f66b972f633f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYkW.exe

Filesize
1020KB

MD5
d60d0edc198aa5b11e1068c637012f61

SHA1
092bb0dd7cc82be935d26ccfe0bb8f7d412bb4f5

SHA256
3e0befcfa2b9b73e55238c16bc7b28798e98930db43162e53c0799a463b73180

SHA512
bb07e99a303bfd07e93209bcee996ab53f1ed6e6e566c98e38f30c9636370aedcf00da1402856860877e7203a7e0f2980bc8f687dbac07eec3d6b8b4cb8a68f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAAw.exe

Filesize
441KB

MD5
1af421b5bbbc1790783f8b8383d0b695

SHA1
d04eef2908e6f12b4932c9b978b8105411b728d8

SHA256
6963b11259d16cc348984030c23a0f606d5e7a8e54547ee260e6349c3b0d7947

SHA512
56ccc1ae632d3f6ad9d787d638c9652ab6719b741597ebc343ba165e606b9e0fffc4afbf8f5e1762023ff27fca36add4bddd8eced64472e7fa629224037840a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\KcMU.exe

Filesize
475KB

MD5
50c45f2267d59a3de246dd11c365494a

SHA1
c74faa9d7cd9cefcac73b4ede85907837d427de9

SHA256
22c35352061ec76f2920296bc5294aabc721213b0702726dd9720d37851d591f

SHA512
17eff5f26b5a40ce400d3a775250ae6a8c989275e5a18d89ed0b5d97a8330b2470ca4aacf53887c77f2151320ae579e2e0c273bfc0f372ca75aa910102e1826b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEko.exe

Filesize
438KB

MD5
f42e2d023a08251b5573234e7ca165c7

SHA1
c7f5268ce93d0501e252dadfc520f667ce2e1e49

SHA256
45d4941336f78d19c0b2cda6eadfe3273975cb4d9b78d221f621daefdaa60514

SHA512
59c7deb088329a237367d795a5c97aea57fbbc40704e2ba8c3b00581b8531065fc9b32a6224558d1586aa381b5f8b06cd68fc095da29534758efc86772b46e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mssc.exe

Filesize
440KB

MD5
eaf17a7307db521c524f96bfe79aeb42

SHA1
4c3aeaa98e41ec8a6574b6e85d03a9af17f1ddf9

SHA256
54b2cba82b8ba778beee8a6366962c9088659f6e79c83049b86f292804fbd44b

SHA512
b228621966b04ec970bcad71551d961f2e53d9745e79ced8d497c2caf7264a6b6d5294ebddf8b1414effa734ae5b72587edaf7c0f84fa2dd951c43ab3454a247

Download Submit
C:\Users\Admin\AppData\Local\Temp\OssQ.exe

Filesize
443KB

MD5
2124882784641547317088fac0562dd5

SHA1
03cef5e3ddb342d091dad25099830fbbbc723ba2

SHA256
dac27a4d0740dda95d67aa0d3661b48fe57203621e8d6f51b6bc888e4bae0cdc

SHA512
9703f7e67d7f5f7d9b30bd958e46275ce4215763878e79637ca2e7df33e93e84ad93a6eb7d1f9c99d10a0949e80f5ba92140b1a4348363f21fd60e3ec49cb07a

Download Submit
C:\Users\Admin\AppData\Local\Temp\QAAu.exe

Filesize
873KB

MD5
f7179c70bb38ec6948575ea5664ba672

SHA1
d067b99616375ecb08963665ce8c03eecaa35f4e

SHA256
e61ea765f81136eb954371f06e41a44a75cfe75cadcab75f74235bba4f3cd11f

SHA512
858e206ecd9d2d5da4ac95dbffb5dce3c041a974fd6a916579a37809658ee3126aed51f524423c63731e96180ccbe3e02c31868c2b48239d96c99f1383705266

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQYQ.exe

Filesize
6.2MB

MD5
1af13daf20116659eda4884795824305

SHA1
f333bbbd63e2041cba247f23c95bae933369080a

SHA256
89ddab4e5ee1246c34fc06217cddef6b9ca5950c793dd186627f96113fdaa82e

SHA512
4176b013d91e84e7ac51441a1bd5fe49a4e440cc70863f1b46b6f1b7bf8e9a1547c79ff437b10550857ad4eee0e5b21a531baf6c2fd5a4a170448e7ac25db358

Download Submit
C:\Users\Admin\AppData\Local\Temp\QUoK.exe

Filesize
435KB

MD5
159299fe5e437f1382144b2e96534279

SHA1
7755e95d87de1f9d6cc4c334207a1a5eaf3e5547

SHA256
857dfd7ea8334c5a5e92fcdfbaa33f558267a24159e5923970942f1ef554c727

SHA512
a09af1402ca2ad3179b41dfa2d59f1df7434bf3291e7e84aef88a8d5e8518126797cf53a5be4f0d0d422c7a2113dcb52dfbd6da83c12e69911dc021493a9c896

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAkE.exe

Filesize
439KB

MD5
a49d0a2aefd723302123858f9ba41ff0

SHA1
ef73f0d24f1f8c375daed2190616930e6f7ac0bc

SHA256
828f9aa19aa1b27b66879b9ece003673d49711e30014225562031079c64c7add

SHA512
ed166a096c259803ff4f435e53838b0ea04835b8dff4ff8fdfcbd6aa796d7bbeda0970bc3173c0b2532253902182cd047dca9257227b7907a443fbaf89525448

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQcy.exe

Filesize
888KB

MD5
a9806eb8bfbb3bd47e3869cc2a24e3f9

SHA1
d5ea4708bc9c8a75b8cc1c1fb13d4d9fc7858644

SHA256
cdfe428a71c3a22945f4061b19c807a9f657fca1c740389e0dfe9fd6447c68c4

SHA512
8815ac9f011cff55927bd9a2cc39975731c864817b7067012076939162ee197900125004f4a2f204f19346aaa51bc01ad2c580761c384179b8ebbdba98537749

Download Submit
C:\Users\Admin\AppData\Local\Temp\UYkO.exe

Filesize
438KB

MD5
944748814ce25f5f08d48c1519c55f61

SHA1
cc5fa92ace7227c39c51176970fab838d7d84675

SHA256
23e836b95484a0110c940efc73e3ee4674e7074416792d3a9e2b12486b78fd47

SHA512
0915c3a754d3d24aa85588c5ead6179d31fb2b0c1c1f75bca3c6de43f5331ba9c061b593a15e7d0e96ceca840c4d594bc7f846ae800bfdbbd852949d45e0fe40

Download Submit
C:\Users\Admin\AppData\Local\Temp\UcAG.exe

Filesize
437KB

MD5
da17c504e80a4117a4ed317eda90ebd9

SHA1
a9faab46d4155c6ceabba4737e8eca369e1bdff5

SHA256
b9bced769b129fff6d079df71bc72c76960ea5e44c79dc5a93903b02569de1de

SHA512
3822e50bf73c9ccf4acb4eebd1ab0d6cfb1123fbfcfe980565dd3df6898664d83d38527ee70782f3bbbaaa95253cb38ade03be0300eb4ba7c7c0798fdfbe973b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ukoo.exe

Filesize
888KB

MD5
f75101f01d248d043e939c208cdb6683

SHA1
22ff9751eccff4d0e76cdbdea18e71da9beb8b89

SHA256
4ba5783908ab943759ed54091f640dee70b17fa08d66329279a85326dc242ff8

SHA512
229bf870075f0acbc01e1b6092cfd8efee90a1fd709a579fd86951b089029ceb598f08cf47e5300bc4db4433a5c0edade637dd9698b3451edb37314b36f5d36e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WQYi.exe

Filesize
887KB

MD5
2f1737ad6cd60463c6d7df0e481a595b

SHA1
6535d5d3c9ff76426aeb32019c6afcd2fbdedd26

SHA256
ade402ecf8625901876dc81d91030789a6e8a5e2fc3b99c209064c8551826d8e

SHA512
3ca00f218c13333cab98d5ed4ba8af311d9011083db308d010e3029170cc272cb4a762ee963cd450b877b9c71d4e8c32d60e6ccb5230a1da25541828e4ed2ccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\WogK.exe

Filesize
435KB

MD5
4a6aae611147a725c2875b599d939d64

SHA1
6fe685e07b67fb5cee2e31b6d849cff4b673ccc5

SHA256
535238df85408103cb88272a052a4db5500d2b2622427319c70a61796d99490b

SHA512
0efd69b324c6785ebb72c43417cfc72b2b90bbe11f9cb0456042957ae3d3e9069eaac9294fbaedfa70180cd526187498d6823ceeb8d75afc22ae8e05cd02d255

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wwwk.exe

Filesize
471KB

MD5
5782c572ec33673426ee18639003dc88

SHA1
c4b83ba8cb0bcd8e4d84910dcd59532fc32cca73

SHA256
8cd1f50a61d91e01d45e5a92aad7e2ba13bac5b22f4c0106e4388d33181e6119

SHA512
166a8759e11024cb56745e3d4bc887a2b296aee54e4692fdecdebdbbb5430b2fc4d273c1b1aafadb00afe9560a5eff9cdb2e364b46545da3849c0c94d508b511

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQUm.exe

Filesize
438KB

MD5
5f670680e1d4e5eacd013ad5908c7e95

SHA1
de79e8501feca0e21adca28e107e1f150e77405d

SHA256
09c97a0577f2e25e028b09b4ef74ffcf65d7975df50d15eae135bfe9e08612ae

SHA512
42f1115bdae931cfd9c44728bd1b70b7a7bae08319236dd873b98bcbc2ab4b2d8d27ecd495ccf5e9004e9927b784c07d560aa8243de7cb912945e20f8850d269

Download Submit
C:\Users\Admin\AppData\Local\Temp\YsUo.exe

Filesize
1021KB

MD5
6195405f116280543b3c03cd23a3c863

SHA1
bb8433b5e4c0f57c08e18ded33c8d4168d253ebe

SHA256
7c7d9e1b7bf1c6bc5cca9e691eba12a981d8ed3af51dbffd00d5adefa48987e2

SHA512
91d16c189552e6a67bb323da501375d792509422b5014217867dd7a0c5ed60b51a0b3d82cc33f8bcd823f191769db49d26253d13f84658821310b9607c91be0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ywke.exe

Filesize
443KB

MD5
171b4c9b5f31a0745f4a7881385aaa79

SHA1
8e3b91c35733bba47b3010c037377bf7d6246657

SHA256
52e95f35717ea9103e325fe157f25b1c943f1bb4eb065fb356ba63d6b8105f07

SHA512
579d20dc4e1f1feaf5287f549678f08118b6d5f64e4595c17166391513d9b6acd26c4c148f551138a7917e11af8b89668427ce47da10214b9862eb4456924713

Download Submit
C:\Users\Admin\AppData\Local\Temp\aEcU.exe

Filesize
440KB

MD5
e4c76364186020cc99e3da4ca87cfb26

SHA1
92b3697f2c2ea2f51937048eea367f42a7d969cb

SHA256
50ab7bad36fbc01dec60ad63696f50a61f8eee580238003f69314ca34dd05978

SHA512
05089d9e6a4f3bfee7c1f2389381d830f31b75efa35dfdd267cad5502a245c39877cbe6cdf621314fd1ae47b872a4efcc1782a6f8c001c0ffb91e04d8497bbf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\akoI.exe

Filesize
455KB

MD5
02193b67963d1a7e2e83a85627956ea9

SHA1
f99d9b7f57390bae55080057cdc972e5bc3bc654

SHA256
0a5441abbcdbbde3d9f6b7b165f0cab4733d4fe74f4ab0215355ed53f52c3aec

SHA512
a97e09ff5de53abed5c4e3eddc690a8a7fcddb0a07b2e3e1e2a8e40aff949fe0e8109e2e21e7f7fe9a8089e3418bb4e5c9311bf782aa33ae091799b8c5b13f78

Download Submit
C:\Users\Admin\AppData\Local\Temp\awES.exe

Filesize
1.0MB

MD5
2b525cd9052f41ee98a3ddc008b253a5

SHA1
0495ff306522ddba1662b4b3837285ea21e09ef2

SHA256
728d41a5c2108a6816f2c7cab44863cb0318b0341b2992f53ed90196ed45f584

SHA512
e173aa4f0fb509a2e865bdf7ff2189e1f700a91b43f8291d55646fb1dec64d1ad6a550af585e13631c1982e105b218cb8231a93d12b5f85bcd6db473fcbd8477

Download Submit
C:\Users\Admin\AppData\Local\Temp\b2935113c3d46f449bab669529cff5d1139c4c6feaa68b13db254295da8cef4dN

Filesize
3.9MB

MD5
5bacbdba9af42150c27b1a182ba169f8

SHA1
797fdb039b9fdb9d271119376d50a4e532bd6c68

SHA256
c30cf61dee7def852eaa738aff1f63b6a1bc59de7f7599fa11ae685d46b55835

SHA512
6cdf90fdcab3434b2b6b610b2daba58b71feb8f1394c89e6c6f9c424fe9351d50660fb4fc459b52352b77fdf3573edd4f13bff51078605972e711927dfae23be

Download Submit
C:\Users\Admin\AppData\Local\Temp\cEYS.exe

Filesize
461KB

MD5
75ead21a985544c07229399a479b0dc6

SHA1
187068e48f91691882c38fa830bbb24b671cdb90

SHA256
bcbde4b8be7b6f17cd5440286825bcc7a27d2df285e7ba5ecbf132bd210ce5fd

SHA512
7f1336abba79d63fd01b64a81a59306b9921876c6ef48cc1e3be10fbb3c9716807d5a2bab250793c8fc388615e7c716225cabee1d1077880f0e2f6fa3ecaffd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cUsy.exe

Filesize
2.0MB

MD5
714ffea03af764d34ddb4578bf2ac755

SHA1
0d6353125744c8a7b23de9260574febb3c9c5a5d

SHA256
7f52ed05fc035e687d07b1b37c287b6743c95ac540f874b96c8f3fa40a265513

SHA512
c0fcd663cbf0a9759838fbfd32f34601274c130737e8443b95d9f162583672d95691830bf06d72e0a81799d9bcb0614fa2e3197a931b45520ccc413dd49d8a6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccgE.exe

Filesize
572KB

MD5
1c9e72f94d30bb2ef558dc5c6be9b114

SHA1
750602a2e1755d14e8cf6ac49098cf9090878c22

SHA256
2ea69dbcecb39106fd87792264eeddbd5bf940d438720f348dadb0fa3688ea39

SHA512
76f814f8fac50eee90ba241a47236174b0c0a5bba845a742113085dcded4ed95a4758971573ed0f87b9dd756481eb4fb5e221deb87e94077781a318f500e2d48

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIMM.exe

Filesize
606KB

MD5
2c09fb63d43eb455f5a85dd9eaf20202

SHA1
5eaf95d066ef06c4356e5720f612cb57148ec00e

SHA256
cc65f268bb60c37bbfa680dd1cf7d16c87d429917bed12d1298e694097b3c4af

SHA512
f961c3429379afbfadc7235ff3f70753d4a0a84a41c9e19ec08797ae1f8d9bdc3bc3b3307e73a522a83e4f7a0366d3758a2ffbc19e6c1e2d2f6d53d694e9d5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\eoMc.exe

Filesize
451KB

MD5
5869f95c391dc287f7aeb9ad7ade4aab

SHA1
fdfac91b26eac59d8d827bb4b0ad915a71a6fd78

SHA256
97f251f4fe0b79f1f796f5793dd05678edfad8b6a06c2bb7a402ad96e70ba17a

SHA512
353233360ac6b72749e014ad72fcf5f475cd1187a8c69c6bcfe0ee4e8f02e775e7e962cf914edcdd1c1bd1795793ca5551fa4089fba1016b2c8fc7e0ef7a03e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gAMc.exe

Filesize
837KB

MD5
9dd30e60662463bb209d7a3edc51cd93

SHA1
6818033d90bf4d609cb9b0649c69beece77e7c83

SHA256
1db1a321111c4d0da3b41f87163040a44380242769b25fe610d831e62a781586

SHA512
54b0a23e84f569306a3f26fbd12229ccbaddc9911f29900e651d02a82ce930fe47afbf0fa5d4e6ac8dc69eeff9c5f0f42a69f85c6e6cfd39a6405913db924ef7

Download Submit
C:\Users\Admin\AppData\Local\Temp\gAsE.exe

Filesize
431KB

MD5
49b306567b583e645c43b6255f24bf7a

SHA1
99321344dce179a35bb6592a38d1e0ceda8517fd

SHA256
5d540c236e399c9898fb2c1ad0a29d859ddee91a4f5fc7f3cddf5725ad33c428

SHA512
8063f6e56bc8d066a34cb490bf96cc6654e803552bd9114fb3a0487b7c88e42c7e2780b2fdffc4ae7e5c6c525dd0834867e659fa0bea7d51e9d5177828729d06

Download Submit
C:\Users\Admin\AppData\Local\Temp\gMYi.exe

Filesize
435KB

MD5
0a1c49f7899eba45aa6da3ce4382f1f5

SHA1
9c9ad1f3382a2e149cf3c3eef00cf240797897c3

SHA256
33fd37f1fc6f37b5b9958cb6f7496b58ecaf4c064ae18cfa9a39490c34c7ab85

SHA512
d4c98cdcbb9509ee3e143a74474a1427ab4e72b5700f38f01460454aba24c1989d6925b6fe83eaf4d1f3672a3ee512c8ad732b94a4deec13cc1d376a6b9e5f66

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcwm.exe

Filesize
432KB

MD5
c4c78b45e5ba462a9d0e382adcd82e9a

SHA1
9aaf875871523a9cae7654a3e2b027a7615a12bc

SHA256
60a91a1f0f3987ea8ba9b5168156da78c9bbbf667ad55bc20731c015d8a75bfa

SHA512
bbef83523c5b236a3cb3631300f72c036bc084c3fa57e3dbc2018db7cc1f54aa38123cff91ba31520ba952b22937bbb992d3cd78755586d88c93a684ba1d3aea

Download Submit
C:\Users\Admin\AppData\Local\Temp\iEEq.exe

Filesize
1.0MB

MD5
c203123bed6b0228f17900af6dfcd06c

SHA1
486904e52e072336e6fa6f40d905d454968d233b

SHA256
8548c89f0fe3f809d7a469f4f2d6ca1cf68b2fbf6d98a23db7bcec4c0685454b

SHA512
4ead48ab72d9a182b5b399a69b4355ba47db2d97c58139364b70f197a555646f04ebfbd7e4e76e348339349f8ba4f3099ed0becfd843848492bf7bfc1d4e85cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\iEwA.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\iUYm.exe

Filesize
439KB

MD5
a0480b79fc7a9bcda0fcd4516d8c7f1e

SHA1
01b7879d0452e8c2f5c62345b3e1e511f173dbc7

SHA256
003b1c4123725f85ca6580a08f4114dc0cfbb89b658466570d7a83383fd5a613

SHA512
dbf83b295fea72576233c4b95bba35fac40ee69682cddbb4eaca7d0a2e3ab5f6f9b900be82a7f26063fa638f9672a1190a96e98668c90f304a312c39081b62e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikIs.exe

Filesize
435KB

MD5
7adfd63f620cf679500801c99eed49b7

SHA1
a0dec99fee5c1a996a2630ac65168cdbcdea2159

SHA256
8535f78ad08cf2663bd4e6752338d52650ec0d673e37b844151ba46000005ec5

SHA512
c10bc6fa45b72f7f4e674ad1845850f014caaa8547ff45449323091e387ed767bc6865bbf3829d664b5fbb21990ef79a0543cc11410306ddf57116922d7f7f58

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAsQ.exe

Filesize
442KB

MD5
be6ecb55788992097f6c35b175d78155

SHA1
3d57ab9a63d2141382630bf5881f193457a8f985

SHA256
acbd484b142e73a651879bc99f3a02ffbb2981552fcdd2fef1f9a8be23240193

SHA512
c248ea48d9f03614b3f60172a20b6db7c309b3b4934110d891ae8f6202bf91b5aacb951ea4c7ed9b519f7e71b9af0e3dc41f6acbb8a8d5e74753837199a4f28d

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwcY.exe

Filesize
441KB

MD5
73b3bfcf92b24119ea1591d325c33a7c

SHA1
0edb94652172d063c6da62dfc754ae45130c5a88

SHA256
0d9e8203dca136d8741ea8b5756c66430f299af9e21a10b0034f8a99b4366a3a

SHA512
c27a1c0610bfdadde7b8fadc9d296206f968fdaabf0ba585478f43de881a312b6e42a8f957e5c6bc9bd6212d7cd7e8e7b01adde05467b8923af3775167234f49

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwcu.exe

Filesize
808KB

MD5
b197a028a4ae100aed3eaa36d65899b7

SHA1
fd461efdc17a0b72276c526806693726a7840481

SHA256
3ce37b1cac8cd6a04f3026cea7ae6d205e1ec82e102939ad75e689e2d5405fdf

SHA512
7e96e2a10baf4c2894a418d18594acdcfc76bd1dad7660d3802598511a199093447507c83aabee18497681bf43fd3ef981e122c8cd21baf0cb0019626ccc0053

Download Submit
C:\Users\Admin\AppData\Local\Temp\mcsE.exe

Filesize
444KB

MD5
35ee9cd1d83a66f8e8aca2124b3c9220

SHA1
4d6869e3e5b0ae13287a9613d5ef7cdaf3501701

SHA256
5988062d97ceaf42f6601191c3b5a2a8ce5c41b10ffed28e76c066b992841962

SHA512
945a9bb47d69667f431453f0bb2fa46966f8f2aa17aaad3feca5cb907b7a0f704ed4be66865da28e0f9d2a4810b265f5d14514f3d5eb22001c557fb22c1d03e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\oAgi.exe

Filesize
435KB

MD5
402e6313c2a382cc4f73dfdcb84f6eb9

SHA1
5f5dd78cd972b52d6854e4dc3575a67135550366

SHA256
dda839a011061a7b42c2d7309400a8a23f8116cfe3c8269912cd919f5cdbaa17

SHA512
b847c8f21b5a5d20515cb14c5bbb1824bf32970048b11db046a651c4f02d565d105cd4369214d7d8842a44884541832c22100f0ec46f00355d0495bad8c8c433

Download Submit
C:\Users\Admin\AppData\Local\Temp\oIswsUws.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\oOEI.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogUm.exe

Filesize
434KB

MD5
9c15b9db10e11270571053b17206c6ff

SHA1
510679eebd4b6dff41757597268f2e3d32e5dc86

SHA256
8c5aae8be53da798d63b84b089793f1cdf7f3c3dd19a478417f118604b10dbc7

SHA512
70c10454263fdc84be8b3c4dd0052d71745a36fbbff8fa5b56e507de9b960c3bc2ce21d54cd4133bca97c18b5daa9829ab544795f3b75d465cfb10a28598b209

Download Submit
C:\Users\Admin\AppData\Local\Temp\qYUg.exe

Filesize
433KB

MD5
4fd131a59c55436e3057e790e23f3543

SHA1
5a608e53f03c0d02bc75fd4c0d7b3b57844ab831

SHA256
eb4eb30be5890b6061ec8ee473a293fc683d7b4dbe3e673eb0b86af1e050383e

SHA512
7f9e2e5fb12b83d5d323b9ed798ccc47306ab22c6fdd3a09bd4f582727d8762c97a64edf5aaa0fcd2c98fcb410ad1cc4e2ae7f60b941552d0d5e79f5a54332f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\sMEy.exe

Filesize
437KB

MD5
3f02d1078b651c0b5991d7fa6d605d47

SHA1
3e9656cccbe2769bcd4b5247d9fd66433f4792f1

SHA256
86d97f174e3c610eabb11005f7acd3446eea862e12a2f7bc262f07f4805f0bc4

SHA512
068238154c569cc3d57a78eb600177ade15b3561af899d258fb958dba5bf75381b85353339121bcdab6ac98bb15c72032f7cec8a75c519060e689979dd4cc539

Download Submit
C:\Users\Admin\AppData\Local\Temp\sgYA.exe

Filesize
881KB

MD5
4b1d8ee67dce243a374d2b53f3c5cd50

SHA1
2b504abce0eddd57a80a0c86134077d9188ad6e0

SHA256
04414ad2d8e022ac505e77a72fdd079c0bc13a206b8fb71b373195a28acb548e

SHA512
a602156ec6c8f707eefa12b9849e96205796344c6c70415177a19bfa600ac2f1830db6bdb25c0325883cc0e26b28ecf046851bbf5a93f3c2e79588477216ac9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sskC.exe

Filesize
438KB

MD5
30bb89eb50f55db6f4089f41bef08607

SHA1
6f809481718979cddebd023339e9e97f0bf8f6e1

SHA256
0ee331848df55a4349c149a0beafe93e3998e97e7303ce70a52973385eca1237

SHA512
f037a970538a82ec0547c929fd58ce84398761494c581b26e33baa69606031532e591f7ed4a90ba7199e8b3a40935778fe72373774c1d8f63ba6c9b05aa1fb8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEkA.exe

Filesize
445KB

MD5
35c9779a7f8fda01fcac092c8486b679

SHA1
87eaee1eda56cd13ef7ec233a12ee22a3cc9ba71

SHA256
54ec79da9141db0087465d1be3267a34c3a6bf9ac51e01c6be9cbd41dd52f6a4

SHA512
3f909de08a548184f9e43012115ae1c652bfd7c29c325f269fd3d06f3c9922f31f74d35be1cd8a0da0d685f2da9c899803eb38acbefc9881497b04b7014d1e9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQQs.exe

Filesize
503KB

MD5
e19f7f8cb2549ced055e44f5c67804cf

SHA1
450145044932d386f333872176d580dce1d8141c

SHA256
2d254c09db6c6a1acba20d97105b3f3b18e8b8e723179a865fdfffb20f7e0679

SHA512
e23849d01b465df53621a281d5aecef498ba38d5353e70e56c082138a18f478c4f58e0e0fa09b8e976dd6e49a94958e188a4ab3ed68dae0e93d8f3d61b7669ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\ussG.exe

Filesize
441KB

MD5
a65f084990007e29bb599ed4cd8d9b89

SHA1
36fad9231717d23fc8c3cd760d28a92f50c8b84c

SHA256
2767ca365119dabbef80020f93f77eec3eba90ca1e84dbe759ef4d66b8d39aca

SHA512
4c4a65ca45edb4f11fb9614db5387f82ae6165d552bf0e63a34ce2aa5c9b6c1b5485b2b1a8fb0c50bf1acf0ebaea858c4200ec8ab5d78e16caed131253078878

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAQk.exe

Filesize
447KB

MD5
9b7a9dd6b01e51f991e40239e0bb8f2f

SHA1
f16ee6810dfe76157abcb28c8abab5051acbd7b9

SHA256
4e565761634fce3e16298166112faf7b09525a579d791fb74eb5950006df2fe7

SHA512
ce6c3379b1d69cccefeda80e20244f81bddc6defe07bf93178259cc8f373c7270d8023cbc35a861ccbed97829739c65b8f0860cdbdcb2b719f1cdb98442848ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUAa.exe

Filesize
442KB

MD5
d82ec762bac2a64899bedcf391580f9e

SHA1
66c3d18ee25f5166850562313be764d4a50a0a5e

SHA256
87d61aa3654d2b5dc22afd7f652ace20de0844caffdd242831633747fc5b6047

SHA512
18d6025fd71f2ced4bc761183daa4082857cf31227b4b94fe23b8bba3a13afbb351a6e9aff6699f7d9da1886e5eeaa9f5a09c074837f5d1636fb145124e74332

Download Submit
C:\Users\Admin\AppData\Local\Temp\woEG.exe

Filesize
1.0MB

MD5
f4dcdbe5087373cddfd0d2f2e4f63e21

SHA1
46a3173ac590f2bbee6594746fc6bd29cb6dc858

SHA256
9f0184080ad42eae7ac0de65cbb30c1f4f3de46a79e6d629a20e4e04a2e665c0

SHA512
cc953b53774bd5fd7a26ecff163e9dd8af97f1426bbfbc4b957b92fb1937fb25d5966a5d8f72f7e51bb887b3d22775645ec308348a74c8bf3dd14621a9df9602

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUsO.exe

Filesize
670KB

MD5
20f35afbda1f995cf8f0345b59d1d547

SHA1
c2d878c760ed8a1f927b7bbb7808bc7248fd2340

SHA256
7f8a9cce4df55aa3f8cb522194c632b1ed3217a781aedb301f29eb861f08547d

SHA512
c2572837c49955f05caf2d01daa235f2cc5d0083169c9b14e089cc6ca08c13e7e184e0e10ae5ba958b0d3cb8d2d7aa1e4013ac61dedf964d8ed09dc50ecddf04

Download Submit
C:\Users\Admin\AppData\Local\Temp\yYIK.exe

Filesize
441KB

MD5
d18c8c043c2477b03cd59906aa2d2abb

SHA1
330982a1e0e1a08abb049a3671b56f0831e4eb92

SHA256
77063c4a8903ff12aaf62bc8b14f954486c27eea59691f731d73b84b67d7c1de

SHA512
472356c726c7e50422fc985dda8e5a4df7c2a24d06decdbb178dbf0b2b0d87066828532aaddfbc0a4b426f69a21ee0807e2044e16368ea6334bfd501c2f0581f

Download Submit
C:\Users\Admin\AppData\Local\Temp\yiUA.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykoE.exe

Filesize
557KB

MD5
c4ef3eaaa52941218728e2120e04ae00

SHA1
ed208d60d4a364903778f5334884245479056edb

SHA256
c116b1eeecaa766eb967d97af160a344a2c4adc6937b6497185290236016d183

SHA512
17c205ae4de46cb3af494f5d2f03c35612ba237d8c89d85eaf7cfa89620ee47cfde2bf78e403d5b653ebb5430da93d417f578c6ed1b93d6a909c8f0b61adc00e

Download Submit
C:\Users\Admin\AppData\Local\Temp\yoEO.exe

Filesize
437KB

MD5
83dbf2ab431ae01ea000cf56482f2863

SHA1
d0ec895017bad14478121240c6f3aca633b6e287

SHA256
e62419bfd70f8f84282bf80b4125e8aba1a3ee5208b0522860aac9e704767959

SHA512
d6e5a0bdee51e466c8238e8394c1afa2ae7dfcb4dda11fbf9876f3b9efea3b5e31d6f8a7424f7e51c850a9cc372446440a0c1650007e5ecfc98bb82a794afc55

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywwW.exe

Filesize
660KB

MD5
78a8bc814611a17e18e24c8f190c8bea

SHA1
d96ab87d52f9307ccb78fb497d1ff34e65560aac

SHA256
db8e0248c1a3c329f454f2f06c0fc9fa3fefc2c266b2c70e2c3d0f4989e4eb5b

SHA512
352b1b1c8967748cab263028d2ae5896bc20e794f931e3675adc6389c996e156f44343b71c059a3455704cc866bcbea8f471b7fa5ab55c3bbd12310a566d616c

Download Submit
C:\Users\Admin\AppData\Roaming\FormatUndo.doc.exe

Filesize
986KB

MD5
6f2125f165221b63bb3a69de8410647d

SHA1
ee78e34dbee16d50b3e3ba0d2e4772d0c2b7bf84

SHA256
53d085c3ee4c50ead56dba672f3c217a3e57eac7ca05d25609d1fe0c7feaab4f

SHA512
0b688926edf2ca868a2df6f68921dfdebb3d004096e25738de74481eeeab091b9dd568379e5bc4a6509aecb7284557471064a7bbd80e4b2dea0b18a6971d65d2

Download Submit
C:\Users\Admin\XAsUswAQ\euUsAUMk.exe

Filesize
434KB

MD5
c62696c9e1ebd938ecae7bfc47ea4cb3

SHA1
6d1dcbf5c7e0599b2f26c78ff906db51f7bd93cb

SHA256
34650062712453907bc217f096d72e0b2831255ecb31e78fa5e85ee3e5f622de

SHA512
354c25aac9a945750f6be4ff84bb12c5c9c532d1b4ae79b22811f830a90e006116f8dcf48dadcc62ea3f71a5ab24c695ac0c746e186f38bc6f7c7248784972f7

Download Submit
memory/4280-8-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4280-601-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4812-14-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4812-819-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4920-0-0x0000000000401000-0x0000000000856000-memory.dmp

Filesize
4.3MB

Download
memory/4920-428-0x0000000000401000-0x0000000000856000-memory.dmp

Filesize
4.3MB

Download
memory/4920-475-0x0000000000401000-0x0000000000856000-memory.dmp

Filesize
4.3MB

Download