darkgate | d92024a4c81073d013ee65310350714f0daa216bc90c7d4b43031cb9c72c23d2

Analysis

max time kernel
296s
max time network
299s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
28/03/2025, 10:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gacdeca/Autoit3.exe
Size

872KB
MD5

c56b5f0201a3b3de53e561fe76912bfd
SHA1

2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256

237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512

195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
SSDEEP

12288:6pVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawV2M01:6T3E53Myyzl0hMf1tr7Caw8M01

Score

10^/10

darkgate drk3 discovery persistence stealer

Malware Config

Extracted

Family

darkgate

Botnet

drk3

aspava-yachting.com

Attributes

anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
80
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
ZuMRODIC
minimum_disk
100
minimum_ram
4096
ping_interval
6
rootkit
false
startup_persistence
true
username
drk3

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate
Darkgate family
darkgate

Detect DarkGate stealer 13 IoCs

resource	yara_rule
behavioral1/memory/1056-46-0x0000000004630000-0x0000000004985000-memory.dmp	family_darkgate_v6
behavioral1/memory/1056-73-0x0000000004630000-0x0000000004985000-memory.dmp	family_darkgate_v6
behavioral1/memory/1056-74-0x0000000004630000-0x0000000004985000-memory.dmp	family_darkgate_v6
behavioral1/memory/1056-75-0x0000000004630000-0x0000000004985000-memory.dmp	family_darkgate_v6
behavioral1/memory/1056-72-0x0000000004630000-0x0000000004985000-memory.dmp	family_darkgate_v6
behavioral1/memory/1056-76-0x0000000004630000-0x0000000004985000-memory.dmp	family_darkgate_v6
behavioral1/memory/3308-610-0x0000000004DC0000-0x0000000005115000-memory.dmp	family_darkgate_v6
behavioral1/memory/3128-722-0x0000000004480000-0x00000000047D5000-memory.dmp	family_darkgate_v6
behavioral1/memory/3128-730-0x0000000004480000-0x00000000047D5000-memory.dmp	family_darkgate_v6
behavioral1/memory/3128-732-0x0000000004480000-0x00000000047D5000-memory.dmp	family_darkgate_v6
behavioral1/memory/3128-733-0x0000000004480000-0x00000000047D5000-memory.dmp	family_darkgate_v6
behavioral1/memory/3128-731-0x0000000004480000-0x00000000047D5000-memory.dmp	family_darkgate_v6
behavioral1/memory/3128-729-0x0000000004480000-0x00000000047D5000-memory.dmp	family_darkgate_v6

Suspicious use of NtCreateUserProcessOtherParentProcess 64 IoCs

description	pid	Process	procid_target
PID 1056 created 676	1056	Autoit3.exe	7
PID 1056 created 780	1056	Autoit3.exe	8
PID 1056 created 4960	1056	Autoit3.exe	91
PID 3264 created 1056	3264	Autoit3.exe	95
PID 3448 created 1056	3448	Autoit3.exe	95
PID 4028 created 4664	4028	Autoit3.exe	89
PID 3176 created 1056	3176	Autoit3.exe	95
PID 1056 created 676	1056	Autoit3.exe	7
PID 5260 created 2832	5260	Autoit3.exe	54
PID 5692 created 2832	5692	Autoit3.exe	54
PID 2172 created 4052	2172	Autoit3.exe	60
PID 4808 created 2848	4808	Autoit3.exe	61
PID 1036 created 1056	1036	Autoit3.exe	95
PID 1056 created 1824	1056	Autoit3.exe	139
PID 3256 created 4612	3256	Autoit3.exe	88
PID 3152 created 4052	3152	Autoit3.exe	60
PID 5324 created 2960	5324	Autoit3.exe	52
PID 5232 created 4352	5232	Autoit3.exe	81
PID 5428 created 4352	5428	Autoit3.exe	81
PID 1056 created 2832	1056	Autoit3.exe	54
PID 5880 created 2832	5880	Autoit3.exe	54
PID 5372 created 5484	5372	Autoit3.exe	196
PID 5216 created 2848	5216	Autoit3.exe	61
PID 1088 created 4792	1088	Autoit3.exe	208
PID 1056 created 4612	1056	Autoit3.exe	88
PID 2264 created 5484	2264	Autoit3.exe	196
PID 4572 created 4352	4572	Autoit3.exe	81
PID 4392 created 4664	4392	Autoit3.exe	89
PID 5552 created 2876	5552	Autoit3.exe	226
PID 1056 created 4052	1056	Autoit3.exe	60
PID 5148 created 3988	5148	Autoit3.exe	59
PID 3180 created 4664	3180	Autoit3.exe	89
PID 5860 created 2940	5860	Autoit3.exe	51
PID 2440 created 852	2440	Autoit3.exe	254
PID 4492 created 1056	4492	Autoit3.exe	95
PID 1056 created 4352	1056	Autoit3.exe	81
PID 4448 created 3988	4448	Autoit3.exe	59
PID 1100 created 4296	1100	Autoit3.exe	63
PID 5884 created 2960	5884	Autoit3.exe	52
PID 4672 created 4664	4672	Autoit3.exe	89
PID 1568 created 2960	1568	Autoit3.exe	52
PID 1056 created 380	1056	Autoit3.exe	71
PID 1056 created 5712	1056	Autoit3.exe	70
PID 2212 created 4612	2212	Autoit3.exe	88
PID 6092 created 2940	6092	Autoit3.exe	51
PID 5144 created 4664	5144	Autoit3.exe	89
PID 6052 created 4460	6052	Autoit3.exe	322
PID 5000 created 3988	5000	Autoit3.exe	59
PID 1056 created 2836	1056	Autoit3.exe	47
PID 1340 created 4664	1340	Autoit3.exe	89
PID 2420 created 4612	2420	Autoit3.exe	88
PID 4188 created 3988	4188	Autoit3.exe	59
PID 2096 created 2940	2096	Autoit3.exe	51
PID 5924 created 4052	5924	Autoit3.exe	60
PID 1056 created 5712	1056	Autoit3.exe	70
PID 2500 created 2848	2500	Autoit3.exe	61
PID 1168 created 928	1168	Autoit3.exe	385
PID 5852 created 1056	5852	Autoit3.exe	95
PID 1056 created 4664	1056	Autoit3.exe	89
PID 1124 created 3988	1124	Autoit3.exe	59
PID 3828 created 2832	3828	Autoit3.exe	54
PID 3416 created 4612	3416	Autoit3.exe	88
PID 1056 created 4296	1056	Autoit3.exe	63
PID 1216 created 3576	1216	Autoit3.exe	160

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hhfkcce = "\"C:\\ProgramData\\ekeedch\\Autoit3.exe\" C:\\ProgramData\\ekeedch\\heacfaf.a3x"	Autoit3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\abbkfce = "\"C:\\ProgramData\\hbdbbac\\Autoit3.exe\" C:\\ProgramData\\hbdbbac\\ebcdehk.a3x"	Autoit3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\abbkfce = "\"C:\\ProgramData\\hbdbbac\\Autoit3.exe\" C:\\ProgramData\\hbdbbac\\ebcdehk.a3x"	Autoit3.exe

Executes dropped EXE 64 IoCs

pid	Process
3448	Autoit3.exe
3264	Autoit3.exe
4028	Autoit3.exe
3176	Autoit3.exe
5260	Autoit3.exe
5692	Autoit3.exe
2172	Autoit3.exe
4808	Autoit3.exe
1036	Autoit3.exe
3256	Autoit3.exe
3152	Autoit3.exe
5324	Autoit3.exe
5232	Autoit3.exe
5428	Autoit3.exe
5880	Autoit3.exe
5372	Autoit3.exe
5216	Autoit3.exe
1088	Autoit3.exe
2264	Autoit3.exe
4572	Autoit3.exe
4392	Autoit3.exe
5552	Autoit3.exe
5148	Autoit3.exe
3180	Autoit3.exe
5860	Autoit3.exe
2440	Autoit3.exe
4492	Autoit3.exe
4448	Autoit3.exe
1100	Autoit3.exe
5884	Autoit3.exe
4672	Autoit3.exe
1568	Autoit3.exe
2212	Autoit3.exe
6092	Autoit3.exe
5144	Autoit3.exe
6052	Autoit3.exe
5000	Autoit3.exe
1340	Autoit3.exe
2420	Autoit3.exe
4188	Autoit3.exe
2096	Autoit3.exe
5924	Autoit3.exe
2500	Autoit3.exe
1168	Autoit3.exe
5852	Autoit3.exe
1124	Autoit3.exe
3828	Autoit3.exe
3416	Autoit3.exe
1216	Autoit3.exe
4876	Autoit3.exe
3316	Autoit3.exe
716	Autoit3.exe
5696	Autoit3.exe
4064	Autoit3.exe
2232	Autoit3.exe
4376	Autoit3.exe
928	Autoit3.exe
892	Autoit3.exe
5400	Autoit3.exe
2392	Autoit3.exe
5316	Autoit3.exe
3392	Autoit3.exe
5300	Autoit3.exe
2188	Autoit3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe

Modifies registry class 32 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	Autoit3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Autoit3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	Autoit3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	Autoit3.exe
Key created	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	Autoit3.exe
Key created	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	Autoit3.exe
Key created	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Autoit3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	Autoit3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	Autoit3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	Autoit3.exe
Key created	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings	Autoit3.exe
Key created	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Autoit3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	Autoit3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "2"	Autoit3.exe
Key created	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	Autoit3.exe
Key created	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	Autoit3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Autoit3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Autoit3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	Autoit3.exe
Key created	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Autoit3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Autoit3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff	Autoit3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	Autoit3.exe
Key created	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	Autoit3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	Autoit3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Autoit3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Autoit3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	Autoit3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Documents"	Autoit3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	Autoit3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 14002e80922b16d365937a46956b92703aca08af0000	Autoit3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	Autoit3.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4664	powershell.exe
4664	powershell.exe
1056	Autoit3.exe
1056	Autoit3.exe
6052	WMIC.exe
6052	WMIC.exe
6052	WMIC.exe
6052	WMIC.exe
1056	Autoit3.exe
1056	Autoit3.exe
1056	Autoit3.exe
1056	Autoit3.exe
1056	Autoit3.exe
1056	Autoit3.exe
1056	Autoit3.exe
1056	Autoit3.exe
3448	Autoit3.exe
3448	Autoit3.exe
3264	Autoit3.exe
3264	Autoit3.exe
3264	Autoit3.exe
3264	Autoit3.exe
4028	Autoit3.exe
4028	Autoit3.exe
3448	Autoit3.exe
3448	Autoit3.exe
3176	Autoit3.exe
3176	Autoit3.exe
4028	Autoit3.exe
4028	Autoit3.exe
5260	Autoit3.exe
5260	Autoit3.exe
3176	Autoit3.exe
3176	Autoit3.exe
3448	Autoit3.exe
3448	Autoit3.exe
1056	Autoit3.exe
1056	Autoit3.exe
5692	Autoit3.exe
5692	Autoit3.exe
5260	Autoit3.exe
5260	Autoit3.exe
2172	Autoit3.exe
2172	Autoit3.exe
5692	Autoit3.exe
5692	Autoit3.exe
3176	Autoit3.exe
3176	Autoit3.exe
1056	Autoit3.exe
1056	Autoit3.exe
4808	Autoit3.exe
4808	Autoit3.exe
2172	Autoit3.exe
2172	Autoit3.exe
1036	Autoit3.exe
1036	Autoit3.exe
4808	Autoit3.exe
4808	Autoit3.exe
5692	Autoit3.exe
5692	Autoit3.exe
3256	Autoit3.exe
3256	Autoit3.exe
1036	Autoit3.exe
1036	Autoit3.exe

Suspicious behavior: GetForegroundWindowSpam 52 IoCs

pid	Process
1056	Autoit3.exe
2308	Autoit3.exe
3332	Autoit3.exe
4380	Autoit3.exe
5240	Autoit3.exe
1752	Autoit3.exe
2976	Autoit3.exe
3064	Autoit3.exe
4620	Autoit3.exe
4956	Autoit3.exe
4820	Autoit3.exe
4244	Autoit3.exe
5248	Autoit3.exe
4360	Autoit3.exe
2736	Autoit3.exe
2984	Autoit3.exe
1928	Autoit3.exe
1820	Autoit3.exe
2132	Autoit3.exe
5644	Autoit3.exe
2808	Autoit3.exe
2088	Autoit3.exe
5760	Autoit3.exe
4988	Autoit3.exe
6012	Autoit3.exe
2136	Autoit3.exe
4812	Autoit3.exe
5088	Autoit3.exe
1696	Autoit3.exe
3144	Autoit3.exe
2292	Autoit3.exe
2884	Autoit3.exe
3564	Autoit3.exe
5648	Autoit3.exe
5996	Autoit3.exe
4476	Autoit3.exe
6176	Autoit3.exe
6244	Autoit3.exe
6316	Autoit3.exe
6440	Autoit3.exe
6508	Autoit3.exe
6576	Autoit3.exe
6640	Autoit3.exe
6708	Autoit3.exe
6784	Autoit3.exe
6852	Autoit3.exe
6924	Autoit3.exe
6992	Autoit3.exe
7056	Autoit3.exe
7120	Autoit3.exe
6148	Autoit3.exe
3140	Autoit3.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4664	powershell.exe
Token: SeIncreaseQuotaPrivilege	6052	WMIC.exe
Token: SeSecurityPrivilege	6052	WMIC.exe
Token: SeTakeOwnershipPrivilege	6052	WMIC.exe
Token: SeLoadDriverPrivilege	6052	WMIC.exe
Token: SeSystemProfilePrivilege	6052	WMIC.exe
Token: SeSystemtimePrivilege	6052	WMIC.exe
Token: SeProfSingleProcessPrivilege	6052	WMIC.exe
Token: SeIncBasePriorityPrivilege	6052	WMIC.exe
Token: SeCreatePagefilePrivilege	6052	WMIC.exe
Token: SeBackupPrivilege	6052	WMIC.exe
Token: SeRestorePrivilege	6052	WMIC.exe
Token: SeShutdownPrivilege	6052	WMIC.exe
Token: SeDebugPrivilege	6052	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6052	WMIC.exe
Token: SeRemoteShutdownPrivilege	6052	WMIC.exe
Token: SeUndockPrivilege	6052	WMIC.exe
Token: SeManageVolumePrivilege	6052	WMIC.exe
Token: 33	6052	WMIC.exe
Token: 34	6052	WMIC.exe
Token: 35	6052	WMIC.exe
Token: 36	6052	WMIC.exe
Token: SeIncreaseQuotaPrivilege	6052	WMIC.exe
Token: SeSecurityPrivilege	6052	WMIC.exe
Token: SeTakeOwnershipPrivilege	6052	WMIC.exe
Token: SeLoadDriverPrivilege	6052	WMIC.exe
Token: SeSystemProfilePrivilege	6052	WMIC.exe
Token: SeSystemtimePrivilege	6052	WMIC.exe
Token: SeProfSingleProcessPrivilege	6052	WMIC.exe
Token: SeIncBasePriorityPrivilege	6052	WMIC.exe
Token: SeCreatePagefilePrivilege	6052	WMIC.exe
Token: SeBackupPrivilege	6052	WMIC.exe
Token: SeRestorePrivilege	6052	WMIC.exe
Token: SeShutdownPrivilege	6052	WMIC.exe
Token: SeDebugPrivilege	6052	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6052	WMIC.exe
Token: SeRemoteShutdownPrivilege	6052	WMIC.exe
Token: SeUndockPrivilege	6052	WMIC.exe
Token: SeManageVolumePrivilege	6052	WMIC.exe
Token: 33	6052	WMIC.exe
Token: 34	6052	WMIC.exe
Token: 35	6052	WMIC.exe
Token: 36	6052	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1180	WMIC.exe
Token: SeSecurityPrivilege	1180	WMIC.exe
Token: SeTakeOwnershipPrivilege	1180	WMIC.exe
Token: SeLoadDriverPrivilege	1180	WMIC.exe
Token: SeSystemProfilePrivilege	1180	WMIC.exe
Token: SeSystemtimePrivilege	1180	WMIC.exe
Token: SeProfSingleProcessPrivilege	1180	WMIC.exe
Token: SeIncBasePriorityPrivilege	1180	WMIC.exe
Token: SeCreatePagefilePrivilege	1180	WMIC.exe
Token: SeBackupPrivilege	1180	WMIC.exe
Token: SeRestorePrivilege	1180	WMIC.exe
Token: SeShutdownPrivilege	1180	WMIC.exe
Token: SeDebugPrivilege	1180	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1180	WMIC.exe
Token: SeRemoteShutdownPrivilege	1180	WMIC.exe
Token: SeUndockPrivilege	1180	WMIC.exe
Token: SeManageVolumePrivilege	1180	WMIC.exe
Token: 33	1180	WMIC.exe
Token: 34	1180	WMIC.exe
Token: 35	1180	WMIC.exe
Token: 36	1180	WMIC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3316	Autoit3.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4664 wrote to memory of 1056	4664	powershell.exe	95
PID 4664 wrote to memory of 1056	4664	powershell.exe	95
PID 4664 wrote to memory of 1056	4664	powershell.exe	95
PID 1056 wrote to memory of 1904	1056	Autoit3.exe	96
PID 1056 wrote to memory of 1904	1056	Autoit3.exe	96
PID 1056 wrote to memory of 1904	1056	Autoit3.exe	96
PID 1904 wrote to memory of 6052	1904	cmd.exe	98
PID 1904 wrote to memory of 6052	1904	cmd.exe	98
PID 1904 wrote to memory of 6052	1904	cmd.exe	98
PID 1056 wrote to memory of 3336	1056	Autoit3.exe	99
PID 1056 wrote to memory of 3336	1056	Autoit3.exe	99
PID 1056 wrote to memory of 3336	1056	Autoit3.exe	99
PID 1056 wrote to memory of 4236	1056	Autoit3.exe	101
PID 1056 wrote to memory of 4236	1056	Autoit3.exe	101
PID 1056 wrote to memory of 4236	1056	Autoit3.exe	101
PID 1056 wrote to memory of 5724	1056	Autoit3.exe	107
PID 1056 wrote to memory of 5724	1056	Autoit3.exe	107
PID 1056 wrote to memory of 5724	1056	Autoit3.exe	107
PID 2588 wrote to memory of 3448	2588	cmd.exe	109
PID 2588 wrote to memory of 3448	2588	cmd.exe	109
PID 2588 wrote to memory of 3448	2588	cmd.exe	109
PID 3948 wrote to memory of 3264	3948	cmd.exe	110
PID 3948 wrote to memory of 3264	3948	cmd.exe	110
PID 3948 wrote to memory of 3264	3948	cmd.exe	110
PID 3264 wrote to memory of 3844	3264	Autoit3.exe	111
PID 3264 wrote to memory of 3844	3264	Autoit3.exe	111
PID 3264 wrote to memory of 3844	3264	Autoit3.exe	111
PID 1056 wrote to memory of 5132	1056	Autoit3.exe	115
PID 1056 wrote to memory of 5132	1056	Autoit3.exe	115
PID 1056 wrote to memory of 5132	1056	Autoit3.exe	115
PID 5772 wrote to memory of 4028	5772	cmd.exe	117
PID 5772 wrote to memory of 4028	5772	cmd.exe	117
PID 5772 wrote to memory of 4028	5772	cmd.exe	117
PID 6076 wrote to memory of 3176	6076	cmd.exe	120
PID 6076 wrote to memory of 3176	6076	cmd.exe	120
PID 6076 wrote to memory of 3176	6076	cmd.exe	120
PID 3448 wrote to memory of 2988	3448	Autoit3.exe	121
PID 3448 wrote to memory of 2988	3448	Autoit3.exe	121
PID 3448 wrote to memory of 2988	3448	Autoit3.exe	121
PID 4028 wrote to memory of 1568	4028	Autoit3.exe	123
PID 4028 wrote to memory of 1568	4028	Autoit3.exe	123
PID 4028 wrote to memory of 1568	4028	Autoit3.exe	123
PID 1032 wrote to memory of 5260	1032	cmd.exe	127
PID 1032 wrote to memory of 5260	1032	cmd.exe	127
PID 1032 wrote to memory of 5260	1032	cmd.exe	127
PID 3448 wrote to memory of 480	3448	Autoit3.exe	128
PID 3448 wrote to memory of 480	3448	Autoit3.exe	128
PID 3448 wrote to memory of 480	3448	Autoit3.exe	128
PID 5944 wrote to memory of 5692	5944	cmd.exe	132
PID 5944 wrote to memory of 5692	5944	cmd.exe	132
PID 5944 wrote to memory of 5692	5944	cmd.exe	132
PID 3176 wrote to memory of 3332	3176	Autoit3.exe	133
PID 3176 wrote to memory of 3332	3176	Autoit3.exe	133
PID 3176 wrote to memory of 3332	3176	Autoit3.exe	133
PID 1056 wrote to memory of 4716	1056	Autoit3.exe	135
PID 1056 wrote to memory of 4716	1056	Autoit3.exe	135
PID 1056 wrote to memory of 4716	1056	Autoit3.exe	135
PID 5260 wrote to memory of 3188	5260	Autoit3.exe	137
PID 5260 wrote to memory of 3188	5260	Autoit3.exe	137
PID 5260 wrote to memory of 3188	5260	Autoit3.exe	137
PID 1824 wrote to memory of 2172	1824	cmd.exe	141
PID 1824 wrote to memory of 2172	1824	cmd.exe	141
PID 1824 wrote to memory of 2172	1824	cmd.exe	141
PID 3176 wrote to memory of 6096	3176	Autoit3.exe	142

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:3336
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:4716

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:780

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2176
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:4572

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:4556

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:404
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:464
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4488
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:3708
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:5312

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:5620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:2600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:5516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:1468
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:1744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:1700

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:1432
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:3108

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:3188
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:5976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:5244
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:1532
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:1204
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:5564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:2296
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5168
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:5816
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:2956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:5236

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:1744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:4084
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:404
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:1324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:3812
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:1676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:5844
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:3564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:1196
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:4288

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:5056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:3276
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:3804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:2996
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:5492
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:1156

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2848
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:3576
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:4456
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:1712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:4744
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:4276
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:2508
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:4076
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:5460
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:4532
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:324

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4296
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:3112
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:5476
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:636
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:3608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:5084
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:2452

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:5712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:3752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:5384

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:380

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:5888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:3688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:3620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:4380
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:4840
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:6056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:3972

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:Global.IrisService.AppXwt29n3t7x7q6fgyrrbbqxwzkqjfjaw4y.mca
1⤵
PID:4352
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:5484
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:3760
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:1716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:3288
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:4756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:6004

C:\Users\Admin\AppData\Local\Temp\gacdeca\Autoit3.exe
"C:\Users\Admin\AppData\Local\Temp\gacdeca\Autoit3.exe"
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3316

C:\Windows\System32\smartscreen.exe
C:\Windows\System32\smartscreen.exe -Embedding
1⤵
PID:4612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:1676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:4124
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:1900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:5300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:2668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:5256

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4664
- C:\Users\Admin\AppData\Local\Temp\gacdeca\Autoit3.exe
  "C:\Users\Admin\AppData\Local\Temp\gacdeca\Autoit3.exe" .\ekfgefa.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:1056
- - \??\c:\windows\SysWOW64\cmd.exe
    "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\hbdbbac\ahchcaf
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1904
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic ComputerSystem get domain
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:6052
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:4236
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:3844
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5132
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:2988
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3332
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:2900
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:5636
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:5468
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:2504
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:4736
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4908
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:4044
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:2708
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:4712
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:1544
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6048
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:5032
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2216
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:1908
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:3996
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:2036
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:5700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:1568
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:3080
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:4720
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:1336
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:5700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:2720
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:2072
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:2484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3968
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6072
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:7628

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:4960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
- Suspicious use of WriteProcessMemory
PID:2588
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3448
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
- Suspicious use of WriteProcessMemory
PID:3948
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
- Suspicious use of WriteProcessMemory
PID:5772
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
- Suspicious use of WriteProcessMemory
PID:6076
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3176
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:6096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
- Suspicious use of WriteProcessMemory
PID:1032
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
- Suspicious use of WriteProcessMemory
PID:5944
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:5692
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:6040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
- Suspicious use of WriteProcessMemory
PID:1824
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2172
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:4248
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:5980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:1456
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4808
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:452
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1036
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:5112
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:2664
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  PID:3152
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:2500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:1264
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Checks processor information in registry
  PID:5324
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:2136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:1316
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  PID:5232
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:4156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:1448
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Checks processor information in registry
  PID:5428
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:1492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:1128
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:5664
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  PID:5372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:4792
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Checks processor information in registry
  PID:5216
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:1208
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:4072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:4608
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Checks processor information in registry
  PID:1088
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:4588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:6040
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Checks processor information in registry
  PID:2264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:2876
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  PID:4572
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:3604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:712
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  PID:4392
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:3044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:524
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:6008
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  PID:5148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:852
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Checks processor information in registry
  PID:3180
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:4264
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:2024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:1280
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5860
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:2480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:5948
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Checks processor information in registry
  PID:2440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:604
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  PID:4492
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:4924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:408
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  PID:4448
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:5352
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  PID:1100
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:5500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:3440
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Checks processor information in registry
  PID:5884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:3948
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Checks processor information in registry
  PID:4672
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:1184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:4840
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  PID:1568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:5400
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Checks processor information in registry
  PID:2212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:4460
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6092
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:1472
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:2672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:2752
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  PID:5144
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:3120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:1292
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Checks processor information in registry
  PID:6052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:5472
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Checks processor information in registry
  PID:5000
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:2024
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  PID:1340
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:4048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:336
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  PID:2420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:5848
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  PID:4188
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:2592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:1232
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Checks processor information in registry
  PID:2096
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:5236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:3600
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  PID:5924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:928
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  PID:2500
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:3448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:1808
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Checks processor information in registry
  PID:1168
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:4684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:2884
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5852
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:2060
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  PID:1124
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:4788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:4720
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:3828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:324
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  PID:3416
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:2392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:4500
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  PID:1216
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:5240
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  PID:4876
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:2136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:3908
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Executes dropped EXE
  PID:3316
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:844
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  PID:716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:3484
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Executes dropped EXE
  PID:5696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:548
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Executes dropped EXE
  PID:4064
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:1924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:720
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:2232
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:4432
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Executes dropped EXE
  PID:4376
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:4092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:3076
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  PID:928
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:5440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:2992
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Executes dropped EXE
  PID:892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:4280
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Executes dropped EXE
  PID:5400
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:1436
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Executes dropped EXE
  PID:2392
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:3052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:4680
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Executes dropped EXE
  PID:5316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:1896
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  PID:3392
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:4404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:716
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Executes dropped EXE
  PID:5300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:2844
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Executes dropped EXE
  PID:2188
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:4616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:3256
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:4260
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:2080
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:4852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:2996
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2600
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:3324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:2316
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:1488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:4360
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:5552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:1084
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:5020
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:5568
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:3768
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:5036
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:2616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:404
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:5292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:4924
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:3264
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:1380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:3356
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Checks processor information in registry
  PID:3488
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:4468
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:5788
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:3184
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:5356
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:6044
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Checks processor information in registry
  PID:696
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:2988
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:1196
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:4248
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:6060
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:236
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:1032
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:4936
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:1504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:5596
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:2284
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:1324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:60
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5564
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:2396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:1144
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:924
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:2032
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:2980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:4440
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:5396
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:5152
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Adds Run key to start application
  PID:3308
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4696
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:5540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:6380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:4048
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:5260
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:4408
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:5084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:4240
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:3608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:5760
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:5320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:412
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Checks processor information in registry
  PID:3140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:4312
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:1228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:1216
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:4544
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:5220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:636
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:2424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:5420
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Checks processor information in registry
  PID:5096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:2432
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:2484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:752
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:6064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:4988
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:2084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:1168
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:2452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:5756
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:5956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:2380
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:3040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:3004
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:2732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:2592
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:1752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:5368
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Checks processor information in registry
  PID:4028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:1744
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Checks processor information in registry
  PID:776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:2668
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:5764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:1380
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:4888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:5332
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:2884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:5060
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:2736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:4488
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:5636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:3564
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Checks processor information in registry
  PID:1288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:5228
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:5096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:1440
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:3884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:5456
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:6064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:1932
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:3600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:6140
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:4860
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:3312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:1968
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:4440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:5620
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Checks processor information in registry
  PID:1924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:2368
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:3416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:5844
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:5340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:932
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Checks processor information in registry
  PID:3852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:5764
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Checks processor information in registry
  PID:4904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:5104
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:3144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:4996
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - System Location Discovery: System Language Discovery
  PID:892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:3128
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:5060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:3708
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Checks processor information in registry
  PID:5996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:4008
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:60

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:4892
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:2756
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Checks processor information in registry
  PID:1440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:4788
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:4452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:6128
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:1184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:1940
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:4684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:2808
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:4860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:4100
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Checks processor information in registry
  PID:3000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:1504
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Checks processor information in registry
  PID:6012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:2132
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:4080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:5300
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Checks processor information in registry
  PID:1496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:2088
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:5088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:3868
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:2972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:4848
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:1228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:4972
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:4120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:5448
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Checks processor information in registry
  PID:2796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:2524
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:5104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:5564
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:1444
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:4856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:3128
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Checks processor information in registry
  PID:4592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:2396
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:5420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:5680
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:1260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:1180
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:1820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:2484
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:5868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:3172
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:5892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:4868
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Checks processor information in registry
  PID:2316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:4988
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Checks processor information in registry
  PID:1884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:1348
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:3820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:5840
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:5148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:4380
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:3012
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:3940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:1996
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Checks processor information in registry
  PID:932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:5088
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Checks processor information in registry
  PID:6028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:2896
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Checks processor information in registry
  PID:5320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:4888
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:1176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:1460
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Checks processor information in registry
  PID:4752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:4620
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:5104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:1336
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:2672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:464
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:4856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:5288
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:1252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:1004
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:5420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:2396
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:3844
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:5616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:560
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:5852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:5868
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Checks processor information in registry
  PID:6084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:5256
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:4304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:2316
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:4476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:192
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:1732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:3820
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:2240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:5620
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:2192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:4740
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:4812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:2132
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:5340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:3812
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:1392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:4956
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:1492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:960
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Checks processor information in registry
  PID:3972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:4068
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:1228
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:5804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:2668
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:5332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:6068
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:2444
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:4316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:4644
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:2984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:4544
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Adds Run key to start application
  PID:3128
- - \??\c:\windows\SysWOW64\cmd.exe
    "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\ekeedch\efgcefe
    3⤵
    PID:3280
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic ComputerSystem get domain
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1180
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:4496
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2424
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:4644
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:3800
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:6364
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:4008
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:5996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:2432
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:2824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:4528
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:4452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:2308
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:3380
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Checks processor information in registry
  PID:1924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:3628
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:5840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:3720
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Checks processor information in registry
  PID:940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:5340
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:4884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:2512
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:2952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\ekeedch\Autoit3.exe" C:\ProgramData\ekeedch\heacfaf.a3x
1⤵
PID:776
- C:\ProgramData\ekeedch\Autoit3.exe
  C:\ProgramData\ekeedch\Autoit3.exe C:\ProgramData\ekeedch\heacfaf.a3x
  2⤵
  PID:524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\ekeedch\Autoit3.exe" C:\ProgramData\ekeedch\heacfaf.a3x
1⤵
PID:4956
- C:\ProgramData\ekeedch\Autoit3.exe
  C:\ProgramData\ekeedch\Autoit3.exe C:\ProgramData\ekeedch\heacfaf.a3x
  2⤵
  - Checks processor information in registry
  PID:1460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:1328
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:3412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:4928
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:4916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\ekeedch\Autoit3.exe" C:\ProgramData\ekeedch\heacfaf.a3x
1⤵
PID:4312
- C:\ProgramData\ekeedch\Autoit3.exe
  C:\ProgramData\ekeedch\Autoit3.exe C:\ProgramData\ekeedch\heacfaf.a3x
  2⤵
  PID:1144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:1396
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:2060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:5408
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:4020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\ekeedch\Autoit3.exe" C:\ProgramData\ekeedch\heacfaf.a3x
1⤵
PID:3596
- C:\ProgramData\ekeedch\Autoit3.exe
  C:\ProgramData\ekeedch\Autoit3.exe C:\ProgramData\ekeedch\heacfaf.a3x
  2⤵
  PID:4364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:1012
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:3912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:5876
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:1940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\ekeedch\Autoit3.exe" C:\ProgramData\ekeedch\heacfaf.a3x
1⤵
PID:5108
- C:\ProgramData\ekeedch\Autoit3.exe
  C:\ProgramData\ekeedch\Autoit3.exe C:\ProgramData\ekeedch\heacfaf.a3x
  2⤵
  PID:4684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:4944
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:3908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:1348
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\ekeedch\Autoit3.exe" C:\ProgramData\ekeedch\heacfaf.a3x
1⤵
PID:4272
- C:\ProgramData\ekeedch\Autoit3.exe
  C:\ProgramData\ekeedch\Autoit3.exe C:\ProgramData\ekeedch\heacfaf.a3x
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:3332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:6008
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:4380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:3084
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:5240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\ekeedch\Autoit3.exe" C:\ProgramData\ekeedch\heacfaf.a3x
1⤵
PID:2516
- C:\ProgramData\ekeedch\Autoit3.exe
  C:\ProgramData\ekeedch\Autoit3.exe C:\ProgramData\ekeedch\heacfaf.a3x
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:1780
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:960
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:3064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\ekeedch\Autoit3.exe" C:\ProgramData\ekeedch\heacfaf.a3x
1⤵
PID:5720
- C:\ProgramData\ekeedch\Autoit3.exe
  C:\ProgramData\ekeedch\Autoit3.exe C:\ProgramData\ekeedch\heacfaf.a3x
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:4620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:4720
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Checks processor information in registry
  - Suspicious behavior: GetForegroundWindowSpam
  PID:4956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:5960
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:4820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\ekeedch\Autoit3.exe" C:\ProgramData\ekeedch\heacfaf.a3x
1⤵
PID:1976
- C:\ProgramData\ekeedch\Autoit3.exe
  C:\ProgramData\ekeedch\Autoit3.exe C:\ProgramData\ekeedch\heacfaf.a3x
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: GetForegroundWindowSpam
  PID:4244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:5448
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Checks processor information in registry
  - Suspicious behavior: GetForegroundWindowSpam
  PID:5248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:4008
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: GetForegroundWindowSpam
  PID:4360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\ekeedch\Autoit3.exe" C:\ProgramData\ekeedch\heacfaf.a3x
1⤵
PID:6104
- C:\ProgramData\ekeedch\Autoit3.exe
  C:\ProgramData\ekeedch\Autoit3.exe C:\ProgramData\ekeedch\heacfaf.a3x
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:4316
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Checks processor information in registry
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:6056
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\ekeedch\Autoit3.exe" C:\ProgramData\ekeedch\heacfaf.a3x
1⤵
PID:3000
- C:\ProgramData\ekeedch\Autoit3.exe
  C:\ProgramData\ekeedch\Autoit3.exe C:\ProgramData\ekeedch\heacfaf.a3x
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:5612
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:4860
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:5644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\ekeedch\Autoit3.exe" C:\ProgramData\ekeedch\heacfaf.a3x
1⤵
PID:3916
- C:\ProgramData\ekeedch\Autoit3.exe
  C:\ProgramData\ekeedch\Autoit3.exe C:\ProgramData\ekeedch\heacfaf.a3x
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:6128
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:4100
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:5760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\ekeedch\Autoit3.exe" C:\ProgramData\ekeedch\heacfaf.a3x
1⤵
PID:976
- C:\ProgramData\ekeedch\Autoit3.exe
  C:\ProgramData\ekeedch\Autoit3.exe C:\ProgramData\ekeedch\heacfaf.a3x
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:4988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:2616
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:6012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:2444
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\ekeedch\Autoit3.exe" C:\ProgramData\ekeedch\heacfaf.a3x
1⤵
PID:5096
- C:\ProgramData\ekeedch\Autoit3.exe
  C:\ProgramData\ekeedch\Autoit3.exe C:\ProgramData\ekeedch\heacfaf.a3x
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:4812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:4984
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:5088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:2952
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\ekeedch\Autoit3.exe" C:\ProgramData\ekeedch\heacfaf.a3x
1⤵
PID:2184
- C:\ProgramData\ekeedch\Autoit3.exe
  C:\ProgramData\ekeedch\Autoit3.exe C:\ProgramData\ekeedch\heacfaf.a3x
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:3144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:5332
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:3680
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\ekeedch\Autoit3.exe" C:\ProgramData\ekeedch\heacfaf.a3x
1⤵
PID:4580
- C:\ProgramData\ekeedch\Autoit3.exe
  C:\ProgramData\ekeedch\Autoit3.exe C:\ProgramData\ekeedch\heacfaf.a3x
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:3564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:2004
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:5648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:1440
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:5996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\ekeedch\Autoit3.exe" C:\ProgramData\ekeedch\heacfaf.a3x
1⤵
PID:3040
- C:\ProgramData\ekeedch\Autoit3.exe
  C:\ProgramData\ekeedch\Autoit3.exe C:\ProgramData\ekeedch\heacfaf.a3x
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:4476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:5676
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:6176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:6200
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:6244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\ekeedch\Autoit3.exe" C:\ProgramData\ekeedch\heacfaf.a3x
1⤵
PID:6268
- C:\ProgramData\ekeedch\Autoit3.exe
  C:\ProgramData\ekeedch\Autoit3.exe C:\ProgramData\ekeedch\heacfaf.a3x
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:6316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:6340
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:6440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:6464
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:6508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\ekeedch\Autoit3.exe" C:\ProgramData\ekeedch\heacfaf.a3x
1⤵
PID:6528
- C:\ProgramData\ekeedch\Autoit3.exe
  C:\ProgramData\ekeedch\Autoit3.exe C:\ProgramData\ekeedch\heacfaf.a3x
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:6576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:6596
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:6640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:6664
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:6708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\ekeedch\Autoit3.exe" C:\ProgramData\ekeedch\heacfaf.a3x
1⤵
PID:6736
- C:\ProgramData\ekeedch\Autoit3.exe
  C:\ProgramData\ekeedch\Autoit3.exe C:\ProgramData\ekeedch\heacfaf.a3x
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:6784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:6804
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:6852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:6872
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:6924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\ekeedch\Autoit3.exe" C:\ProgramData\ekeedch\heacfaf.a3x
1⤵
PID:6944
- C:\ProgramData\ekeedch\Autoit3.exe
  C:\ProgramData\ekeedch\Autoit3.exe C:\ProgramData\ekeedch\heacfaf.a3x
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:6992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:7012
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:7056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:7076
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:7120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\ekeedch\Autoit3.exe" C:\ProgramData\ekeedch\heacfaf.a3x
1⤵
PID:7144
- C:\ProgramData\ekeedch\Autoit3.exe
  C:\ProgramData\ekeedch\Autoit3.exe C:\ProgramData\ekeedch\heacfaf.a3x
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:6148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:5140
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:3140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:4508
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:6476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\ekeedch\Autoit3.exe" C:\ProgramData\ekeedch\heacfaf.a3x
1⤵
PID:6676
- C:\ProgramData\ekeedch\Autoit3.exe
  C:\ProgramData\ekeedch\Autoit3.exe C:\ProgramData\ekeedch\heacfaf.a3x
  2⤵
  PID:4760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:2264
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:1392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:1208
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  - System Location Discovery: System Language Discovery
  PID:192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\ekeedch\Autoit3.exe" C:\ProgramData\ekeedch\heacfaf.a3x
1⤵
PID:5420
- C:\ProgramData\ekeedch\Autoit3.exe
  C:\ProgramData\ekeedch\Autoit3.exe C:\ProgramData\ekeedch\heacfaf.a3x
  2⤵
  PID:1260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:6456
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:1732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:4252
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:2512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\ekeedch\Autoit3.exe" C:\ProgramData\ekeedch\heacfaf.a3x
1⤵
PID:7136
- C:\ProgramData\ekeedch\Autoit3.exe
  C:\ProgramData\ekeedch\Autoit3.exe C:\ProgramData\ekeedch\heacfaf.a3x
  2⤵
  PID:1348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:2308
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:7180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:5736
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:7212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\ekeedch\Autoit3.exe" C:\ProgramData\ekeedch\heacfaf.a3x
1⤵
PID:7232
- C:\ProgramData\ekeedch\Autoit3.exe
  C:\ProgramData\ekeedch\Autoit3.exe C:\ProgramData\ekeedch\heacfaf.a3x
  2⤵
  PID:7308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:7284
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:7376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:7352
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:7428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\ekeedch\Autoit3.exe" C:\ProgramData\ekeedch\heacfaf.a3x
1⤵
PID:7420
- C:\ProgramData\ekeedch\Autoit3.exe
  C:\ProgramData\ekeedch\Autoit3.exe C:\ProgramData\ekeedch\heacfaf.a3x
  2⤵
  PID:7524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:7492
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:7568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:7560
- C:\ProgramData\hbdbbac\Autoit3.exe
  C:\ProgramData\hbdbbac\Autoit3.exe C:\ProgramData\hbdbbac\ebcdehk.a3x
  2⤵
  PID:7652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\ekeedch\Autoit3.exe" C:\ProgramData\ekeedch\heacfaf.a3x
1⤵
PID:7676
- C:\ProgramData\ekeedch\Autoit3.exe
  C:\ProgramData\ekeedch\Autoit3.exe C:\ProgramData\ekeedch\heacfaf.a3x
  2⤵
  PID:7748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\hbdbbac\Autoit3.exe" C:\ProgramData\hbdbbac\ebcdehk.a3x
1⤵
PID:7768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\hbdbbac\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\ProgramData\hbdbbac\ahchcaf

Filesize
54B

MD5
c8bbad190eaaa9755c8dfb1573984d81

SHA1
17ad91294403223fde66f687450545a2bad72af5

SHA256
7f136265128b7175fb67024a6ddd7524586b025725a878c07d76a9d8ad3dc2ac

SHA512
05f02cf90969b7b9a2de39eecdf810a1835325e7c83ffe81388c9866c6f79be6cdc8617f606a8fedc6affe6127bede4b143106a90289bbb9bf61d94c648059df

Download Submit
C:\ProgramData\hbdbbac\cccfkcb

Filesize
1KB

MD5
7efbe15f091255ee4d35249f15d4d281

SHA1
8be2b03d48dc1ca512bf8f4c1f60e67a1c66fe38

SHA256
a213ee836acf494d209351e7d3d717233ea155b7ea9421e5119a6869df047c65

SHA512
c4203bcf29878bb82442355313c522d6a98a1cc1ce97b76f98fe554e5c5daa8d4c188ddad58c5f8ea22537dc7d029983cec30ba23a69495913216d09b300cfa4

Download Submit
C:\ProgramData\hbdbbac\ebcdehk.a3x

Filesize
585KB

MD5
19c3cd08cdf0b443297669fd94288fb5

SHA1
89e2519e2a0ff144f99e0f5d7a7419898e36ba77

SHA256
020740d11c15f7b3b5bbc2eef7e7237c91207089c06573fded479d03ab7f5092

SHA512
dc4e0b5fc15d5ce65d80792daffd2a8617b3079fd1a7877ca6e3c17cceb518972702b135524c076dd791d032e2f8247632cc43c4d0da296d12e0c38d1b439cc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\msbuild.exe.log

Filesize
841B

MD5
c9a1db4c19a820048ba7767749c71dfd

SHA1
a16119485f9e2921b482bcd16e8d9834039f303e

SHA256
d3f63215eab4e0079782c2afeebd3a20fbb6ce501c2e3632dbc133f1899ca286

SHA512
cf8c810471aebf6c825da7673184c907f4345712798e926023321bb9352d3459c41e8ca9e0f30681c11265ac887761e2d2eaceb6672361d3c5f3abf8659ef0a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s5trfpb1.fv2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\KDGcbEC

Filesize
32B

MD5
12d29e994e490cbe3064217070fbe1f8

SHA1
cbca566a23a6b41795afee23979e9bfdebc6e4b0

SHA256
fbc50ad7b136653e91b47efdfb5b499f5d7ad3d5e4bf15df8795cc6dd8cfffea

SHA512
5435e31087bcd45d65225b1cfca112824d822ebb03396fa066ad5a09865f06f732c1d941714e98a56ff98f260579c46a36be3c486886e8396077f45796f876a9

Download Submit
C:\temp\hgekdfk

Filesize
4B

MD5
c0ce7c27d4bea13a977a18b2068717b5

SHA1
c2b68253b2943cd4ab886fad9ed039dfae371dbb

SHA256
df0591bb340fb92fd98f136edd4fdc0674ad20c8836ae16e7e174d75f18d33d1

SHA512
e9784c732309c6c6ff70e4ceec6ba2c66e85112bb233a9620641d453078c774e29d541e905e7c92a282786ab33b475a937ad351a317f08b96a639f886191965d

Download Submit
C:\temp\hgekdfk

Filesize
4B

MD5
fd418fb0f05a147a9f52f10ddad55256

SHA1
e32d439a23efc191268a14a333af85be1e3ffc48

SHA256
4f23dfc06e1aa378535a7d3e45b0e25dd42126bb95a2c109cb39b3d6b2e8cac4

SHA512
bc4ad8c71ce82289a87e07717a6079b6757e400af672bc7380654da9d3a47bc11651b9c46092f865e2a11dc0e2853b94a11851a34b2dd8ce66c7a362dabfd6ad

Download Submit
C:\temp\hgekdfk

Filesize
4B

MD5
9b97f9245aae000ed80b20c45f175023

SHA1
e7770bd5926bcf5ee5c213f27e63b8db276f2fb2

SHA256
a54223d18551aefcca6f04444d4776a9e22de97ea2b56f3bc6d4434d7f8a050d

SHA512
3fcd07504c6ed4968cd18450d8f840a3f292fe8392e3e5239f8d23ad79be0f4a18ee635020a6d5eda46bdb53dd2223cefa17e005fdca54822c3f206d09b21e65

Download Submit
C:\temp\hgekdfk

Filesize
4B

MD5
680fb346bfee41191ebda0bce1519e0a

SHA1
724afb282214eab7ce7afbd088c96e037ff84434

SHA256
f8300a42d8ffc020111aaa68aec866cf416a3ccf006e64843d73edd9275df92c

SHA512
99b554a5979b203086f8502030da53aed9b33abb7f9c87dd48a45b0daf255209c494a5c259810ded16a9415cbf8830e00239c32c5dcbaa405f931dc77aa2b266

Download Submit
C:\temp\hgekdfk

Filesize
4B

MD5
674f8da73bb426b6d5b3a5d80daa51a2

SHA1
da5e887f447de6cc29b204a96090c3fea4b3d194

SHA256
20841ab23948ddf3d31b289c8220db0aaac06b7b0aca87f509f7f6283d15da3b

SHA512
06dc138bf74dfd0a7412f15781de15aab8d1421c625961cbfbee964098dbbc6b46ae9c684f893ef36b938ec5fe690cdfa2219abf23d3d013575e6d00597af8f3

Download Submit
C:\temp\hgekdfk

Filesize
4B

MD5
6ae5691c183fa55ffbeeced0227f9123

SHA1
c2e8fe443c100e6826544b3d24e4c1b1137cc3df

SHA256
bc692a8d80990a474b8fa1fa7fc5788a0348a172b7d3a8e5661f1e937206b130

SHA512
d85961bf45ed6bd6f7055095ea8cd65c3ff8c47ea43d32b5b3b28019d5e88acfac1532f71bc0dc1a45fb5fa3e5eb242dee5b92e2556c1f9e1489cf4aeecacc38

Download Submit
C:\temp\hgekdfk

Filesize
4B

MD5
e88ef434abf1850060fcbbdf89c289f3

SHA1
82b8b0660e54af02d5ae0b97fde7d7ceb5f9a707

SHA256
7f702eb5030fc3ff2ae720600daca5cbd014adab9612ec48cf233336b4bbda58

SHA512
c181337343fa3b96d6b69849ef2601099c5d08fcb90b4c065bebef576ad87e2e73f2cc45419e864d215b53fb1fcb62d313e297cf097985c9d6e98d4288d07594

Download Submit
C:\temp\hgekdfk

Filesize
4B

MD5
4e4d31d2f81fd4a223943240583aa8c4

SHA1
715ff3a0a0fd9475fdcf2e413c4c7dc836b08e04

SHA256
bb92b498de2364f2d2d5007b560380daa8719b2f050422e4233ead8c1d029c20

SHA512
3d6bc2c922b3768c25845383b2885f93e771cf8cfb7407fb932a1ce2d1640b0012a0d6829c6eaaa929603931f74a59a81b06d8a82958ad8e748689c86efce0c8

Download Submit
C:\temp\hgekdfk

Filesize
4B

MD5
1eb6c9b45cf879bf38821e6b6033a11e

SHA1
ad24f905d69cee5e65f642213926ad21f346dc66

SHA256
4e50492e4004a01116e92962b271a92e03a620e9f25abe66d37b88971d695061

SHA512
89ff80110885390ac93c1f9b150f4ef8b022f72b345043190d7223366de37a7f969aee55c79555763b9b70073037de0062feefad4204fd18c0e641180e3c8eb3

Download Submit
C:\temp\hgekdfk

Filesize
4B

MD5
25abfd50eaace49fe164c1670324f65c

SHA1
dec6db7cad279c063626c9421f36114566e55701

SHA256
3670531c8666085b133bde6932f5580dcf5ee001053bd7a52ba3cd62d712be6c

SHA512
8e056786d04c3b4c2058cf028835c80b848080be7e1ce26b517819e7145041d3f3a777d8ce0913e6e51fd18e770d85d52f4bbf4b07d5d3d2c2cf6bde8d0577e3

Download Submit
C:\temp\hgekdfk

Filesize
4B

MD5
5b391509b80b2d5c5f5071ec4ebbdbde

SHA1
74a99cdd3c7dd639fc4b103b920fe6c2f8db5f13

SHA256
d056d85730c6f6d859945b170704411834f44fdba61fa0dd57a180fa7e959aff

SHA512
09385ae16f6f1c6494c883a262b465a510a1349040a588b2f93d21e6958ac205af63587db42852950fd33586a52a6c8216d80a08bd66253c8a4ab9f35df2048f

Download Submit
C:\temp\kehdhah

Filesize
4B

MD5
b9683f07271f6c0dba4f0f058f42c4d1

SHA1
ae9117192f7b90adac6397e50fd6725972cb0186

SHA256
17c8d1795b3a642ff8ff634ba157518d881f0dd620960b8ba518ea62cae808c2

SHA512
d8f45e700e2e1246d5b5ed9a5208b8b073b36d8b86db07aea940d1c0f1bcadadf1e16d155ec760158d8ec720e7a14d9f9761bff8b24e3b04d31d6191321abe24

Download Submit
C:\temp\kehdhah

Filesize
4B

MD5
f5c1a23f0fc1dffe950bd0080034f918

SHA1
8a9b14dfeec4a6d678db54b9b70080c7030a43f6

SHA256
a5ae11e759544623fbeb7b18720a8c015441560e1497f48e396aadad7e14c723

SHA512
e51cda7bc0c3f476ae058218d0a89d67262a0c6ce2f7f281fd076d08d191ba5ec6832b46d03207b3592fa82e0bbfa889b2399ac140729426a173654ade16be5d

Download Submit
C:\temp\kehdhah

Filesize
4B

MD5
bae9e1344d2bfb92287bfdddde400a4d

SHA1
bb359f25ce756e818c8667bbf48b1fddd64759db

SHA256
4be75b816f0aef4c89bf1d34438028d028c2971256da9838442409ed67d015a8

SHA512
d97c439b4abf38b9079abce1d126a623944234588a6ab4eb8c76c20c39d679bf1435daba407b8f1cae5953a35b8badf37806672573ed6dc787b6fd57eb63e148

Download Submit
C:\temp\kehdhah

Filesize
4B

MD5
f5cc40a3913dd81049960b72cacfea5c

SHA1
0b3c3d617a9bcae9f19b5fd598276cd89632fe85

SHA256
6fd21475ce624ba6cae0fb310da0bb5c87b896bb3621f397cce425a94ba48600

SHA512
bff9aabc5261048783f3272472a49b157b97f00ee7b6256651d1323e7399672628543bb70fa1be13a9d4be734d8b0552792232cf1143dd6dd084cb1a312c874f

Download Submit
C:\temp\kehdhah

Filesize
4B

MD5
920a5306a0706c5c08a9afa59223a6ba

SHA1
e29fcbb672028ad664779919ac6a95f7fb2e98a2

SHA256
4a0b85335cb76a55dc39b078a774f547b5d29db62134788c8a86301806137d09

SHA512
d00ead4e3cc726a7ab288f88e8f735dd8544ee9a646572a944dfb83cba7cc6f6a260a95975a942b04002500289f7b55bf9052d634cae11258f967f987a0fe8b4

Download Submit
C:\temp\kehdhah

Filesize
4B

MD5
ea814a6b0add544caea8681c903b15e3

SHA1
68bc9c4841443f0b75736fc1ba97d74454a02aba

SHA256
54d3b930fe409fdc3bebf0b5da545aa728e04248fb3cec2e99b7cb7e68bff9c4

SHA512
da7c82ca80c2c176d992540fd70c67a4faef9b98b81269e6f6e3f7bb9c3728427dc5aa458246f0bb1a6913019ca7d6003ba0188569838a8872da057ecd46d0de

Download Submit
C:\temp\kehdhah

Filesize
4B

MD5
5effd07be07bc57f2eb3daacaa7cd2f8

SHA1
c0b4f219b0946c45c109e31df8208a4967591f74

SHA256
f1ad2dea3ee6ec82f2955302963a8a747e92bcd1e57cad067ceb3f94dc20d1da

SHA512
cc6111ce0f70bcbe41f4ce447c4853f8b4243449c4e8341a22ccad963beb7642ddb4b9ff6155875c3af6ecfef2ba538710c300586cd310c5d1bbd4f9d70cd997

Download Submit
C:\temp\kehdhah

Filesize
4B

MD5
0d47ec8ea6ba3fec94ddb36f79c9a00b

SHA1
0a9667fbd8d457a257c028707a91f4a88fffd660

SHA256
612b9d2680eb732325a17e517845d34e1d30807ebde2ced3e3fb009b31b57c57

SHA512
4f7938cbe004d3c6a7e24a638de78bee1d77bb8947a8e62bdfcb0f1f49e611596df4aebc448472a9f617f2cf64f19d2245cebbfebfd8ec6dec022cf04e6b919b

Download Submit
C:\temp\kehdhah

Filesize
4B

MD5
17cec4772becaec61754892f326efade

SHA1
9385b987fd56d976b3dc5ff221d995e48445cc94

SHA256
c50607a529837fb3dc1895e08d5b66152317d9133edf3f230c7a6a8e83456f1d

SHA512
863a59b86e12d9821f5318831b04471e8925dba772bf990cbe7c458026d24c2124413604fa9f0bfc5aac86b44d257c1b8d7f7b58c86745e43791dc60b9279ca0

Download Submit
C:\temp\kehdhah

Filesize
4B

MD5
e32a2cf90d9224b3aa7bfa42047a9238

SHA1
0a84c0170c82c1509a5d7d4d029c20267924f562

SHA256
baf5a8c789b33910191f8b6c1213a8da541b5c9fdf387ae042ed286d4ed55cec

SHA512
a48813a707eea634c5004b0d10c6742b407184a9e5df3be20587b26c70a8da4e6c342747737b9d6a15fc69c6fc029e640652e7a8b3f45180afc852aa8d2ae4a6

Download Submit
C:\temp\kehdhah

Filesize
4B

MD5
95ee1321c70996b144644239ebb56d6c

SHA1
2b132cf498129ff85efe3f16009c12155c9db65f

SHA256
ec6414a3f0329256156746ac55f4a8c90161c9d6383361bf9d0a45d4e4137521

SHA512
32b2b6d2dd180bd52e32722a02676bc34d886d48862b13cd9cc275432880bd6124ad0027eb0b7deb9ac0806b013b0879e9b0ff099bc310a29da3e1a5ad9bf440

Download Submit
C:\temp\kehdhah

Filesize
4B

MD5
9482ab43e3c1eba51bef81c89a95b243

SHA1
ac89ccd5acdf08c27726b49b5b6b380ac9885605

SHA256
063c782287dce00df07e260cd0d2122d077c016de841db405a71d94e897d6c62

SHA512
c7b6a4115d80ac5fd8dcdb5b136fa74c1129c01ce2782271326f47116e7d76f61325505f741c38b8a0fe5b183dd2b75c71fc1413117be5435efc4022a1c2bd1d

Download Submit
C:\temp\kehdhah

Filesize
4B

MD5
fce728cfd741f13d39c75ec167fe4662

SHA1
470bee22dda8268e1d0197acfa144a4bd50b34f5

SHA256
87c7cfb5d4b84fca457aedf99da310db32811874de8dd1d3282cebfd19f56752

SHA512
3de9a7b11391e8364afd9e6b09cc8cfb565fa5d31e1f7d626155fd01cbecc19f89c8ffc8ded0d8fd9e53d8c3c292c20d165d9be561178c8671401c39008dd7e3

Download Submit
C:\temp\kehdhah

Filesize
4B

MD5
56eced7936d372b1b18219f8cbc4fc56

SHA1
74121bfec7d2dabd62410ac97e936cb0503d23df

SHA256
7ada04163e975de626894f89b9d5ba2f95e7478e05f50744401bd59f398599b3

SHA512
619be9622e605ada6884de954abcfad42a42000f8af441d85d5e78befca3a312b42bbbb604f5e8a8d5839c613ee5229b7ab879b952c040ffe8fe5c37efae4f3b

Download Submit
C:\temp\kehdhah

Filesize
4B

MD5
a92a0f58e8d5f37d5c856b55e3fd635d

SHA1
87c815da99ed268d813be87ca50ce96336b11956

SHA256
fbd5cb5715a1254d5c068d3405b7db0753d5f1906ce387b62da69e37434fabe2

SHA512
db06e2f883194df945ca13e6f41971193b4d85dedc120afdb0724f6591aa3343c71a5d096e265297a90fb68452771f9143d0e9e5f941fbbdc27779aec58b0ff0

Download Submit
C:\temp\kehdhah

Filesize
4B

MD5
0f8e46fc0d13c9075b15e5ec74ef0c4c

SHA1
79a52b87841691d955bffca90936f72416300226

SHA256
ccac942777c4171177895549660d7a2194f168bbd1acc0a09c996b6de09668e1

SHA512
64b4ffcde94c807dc4a2b77c4fbe1e6eb700cfac816d4bf3fa4f825cc7f3fe957eb453eaf987fcb750962beaabe4c6494ecce41e0dd5ccadc8b729cfd1006554

Download Submit
C:\temp\kehdhah

Filesize
4B

MD5
09852831d9a3cc8e6c48f944c5598392

SHA1
0f0345e85e6e43ed8719ee352943bd2933c72097

SHA256
ce451bb5b3e6841d3378ccc9bb167fa06132e84ca6ef0256716f63d85b28e58b

SHA512
9755f99067a92c19af7101b059451281ea6eec29757a92c41c7bf3232f3cd77afacc384e5faa81eb60a65563679a63c84b45b833515926b0d21a4e2a4913ae41

Download Submit
C:\temp\kehdhah

Filesize
4B

MD5
edeec59dbcbcc72bc67e83377a3e9a10

SHA1
3eb3b43f21d28fc1997a29181e7284c2c48dd6d4

SHA256
68b82fd75154f1461e9d9290c7e3c88a735cb498858c10d7433151ee71d3e595

SHA512
3878cc53a7dad0e1ff840068aaceea6eb1b4f642290c89a71094dab406fe0aafa30fa5bfe6b9032776eebe27a9b515cb314926b6f1fb7f2db6881baca577d3d3

Download Submit
C:\temp\lp.txt

Filesize
4B

MD5
3f647cadf56541fb9513cb63ec370187

SHA1
cf324559d74f4a57dee581c725423aef4e7df203

SHA256
e3680aff4c3e0fd6e49e1eddc36fd621bc3899c261a9f6deef3a66d3cc9c426c

SHA512
f594c9e88810a2cc2d329ea2d91767b6aca4f1374fc7c137d0fabefbff2f168685b0af10c6017db64961b9ed86f390b65e16770226adb1290fa98d29d0949eba

Download Submit
C:\temp\lp.txt

Filesize
3B

MD5
1f50893f80d6830d62765ffad7721742

SHA1
0b5e7f0138ad72cf4f28d2ee0b0364e1071af9be

SHA256
52efd2aad05d27e3eac3665b82f2bffa6da52351ce871c1c28e4ba69b40ea3e6

SHA512
efbc106a37c1d590ea01dec0beeb4ef806402ec02402948a9ff42c7b87f3ac8a711476e0e6aa40df2db27a5b51845b01a466027fdbe9968fd8ff1582ce491c66

Download Submit
C:\temp\lp.txt

Filesize
4B

MD5
42778ef0b5805a96f9511e20b5611fce

SHA1
6c3ed1d27b8a822a66dba5180837cda77c5e445f

SHA256
fdba794336e0776e12850af77674a568e984745e0c1fa7318f23b62b662cabd1

SHA512
2973fffd296405a43cfff915585381ebc634e142e0d5f6d19d6d49dbf604e3590462505837d14bfe5a8c03dc078822aa4380f30a15d9ed4ced18ab08416be5c0

Download Submit
C:\temp\lp.txt

Filesize
4B

MD5
a3147b88259a8e5745ebd59394aee83e

SHA1
e04483fa29ce2a62129c0e1624ac1b82fdd899e1

SHA256
007d45c89dfb5b1a7436620f9a146a9042eb6cbe23dda547da5dee1a56c941da

SHA512
d91d2a302f19ef2dbcd782168c068af282f6026481771a9eca9128ca934485691475cd594f285a8fa4e07860e0fe95892e802850facfba5be351cb3b1c57dafd

Download Submit
C:\temp\lp.txt

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
memory/1056-76-0x0000000004630000-0x0000000004985000-memory.dmp

Filesize
3.3MB

Download
memory/1056-73-0x0000000004630000-0x0000000004985000-memory.dmp

Filesize
3.3MB

Download
memory/1056-72-0x0000000004630000-0x0000000004985000-memory.dmp

Filesize
3.3MB

Download
memory/1056-75-0x0000000004630000-0x0000000004985000-memory.dmp

Filesize
3.3MB

Download
memory/1056-74-0x0000000004630000-0x0000000004985000-memory.dmp

Filesize
3.3MB

Download
memory/1056-46-0x0000000004630000-0x0000000004985000-memory.dmp

Filesize
3.3MB

Download
memory/3128-731-0x0000000004480000-0x00000000047D5000-memory.dmp

Filesize
3.3MB

Download
memory/3128-733-0x0000000004480000-0x00000000047D5000-memory.dmp

Filesize
3.3MB

Download
memory/3128-732-0x0000000004480000-0x00000000047D5000-memory.dmp

Filesize
3.3MB

Download
memory/3128-730-0x0000000004480000-0x00000000047D5000-memory.dmp

Filesize
3.3MB

Download
memory/3128-722-0x0000000004480000-0x00000000047D5000-memory.dmp

Filesize
3.3MB

Download
memory/3128-729-0x0000000004480000-0x00000000047D5000-memory.dmp

Filesize
3.3MB

Download
memory/3308-610-0x0000000004DC0000-0x0000000005115000-memory.dmp

Filesize
3.3MB

Download
memory/3336-37-0x0000000004E70000-0x0000000004FCA000-memory.dmp

Filesize
1.4MB

Download
memory/3336-36-0x0000000004C30000-0x0000000004C4A000-memory.dmp

Filesize
104KB

Download
memory/3336-35-0x0000000000300000-0x0000000000340000-memory.dmp

Filesize
256KB

Download
memory/4664-14-0x00007FF9B4AB0000-0x00007FF9B5572000-memory.dmp

Filesize
10.8MB

Download
memory/4664-13-0x00007FF9B4AB0000-0x00007FF9B5572000-memory.dmp

Filesize
10.8MB

Download
memory/4664-12-0x0000026463D70000-0x0000026463D92000-memory.dmp

Filesize
136KB

Download
memory/4664-2-0x00007FF9B4AB3000-0x00007FF9B4AB5000-memory.dmp

Filesize
8KB

Download
memory/4664-15-0x00000264665D0000-0x0000026466614000-memory.dmp

Filesize
272KB

Download
memory/4664-16-0x00007FF9B4AB0000-0x00007FF9B5572000-memory.dmp

Filesize
10.8MB

Download
memory/4664-17-0x00000264666A0000-0x0000026466716000-memory.dmp

Filesize
472KB

Download
memory/4664-18-0x0000026466620000-0x000002646663E000-memory.dmp

Filesize
120KB

Download
memory/4664-19-0x00007FF9B4AB3000-0x00007FF9B4AB5000-memory.dmp

Filesize
8KB

Download
memory/4664-20-0x00007FF9B4AB0000-0x00007FF9B5572000-memory.dmp

Filesize
10.8MB

Download
memory/4664-21-0x00007FF9B4AB0000-0x00007FF9B5572000-memory.dmp

Filesize
10.8MB

Download
memory/4664-22-0x00007FF9B4AB0000-0x00007FF9B5572000-memory.dmp

Filesize
10.8MB

Download