c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215

Analysis

max time kernel
158s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2022, 19:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
Size

499KB
MD5

64e832aaf4aa94bfb4b06da5d0caadb0
SHA1

267e7c0fd1c010dfb9df69afef0a7d3bd2814b21
SHA256

c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215
SHA512

7905b6fec216f8480658a8a1990e1d4b5955dd85c4827a01508fda111a5a3b065df5cf0b5bb5418b3828691d35f79d680d5b54298394897ab906d5eaf1e66b2e
SSDEEP

12288:r7Ft+KGGOznJDlXmEUchDVz9d9YUTckKjkGso:EDWEUcFnd9DT2J

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\faAkkYEw\\oioosMgo.exe,"	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\faAkkYEw\\oioosMgo.exe,"	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe

Modifies visibility of file extensions in Explorer 2 TTPs 61 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 61 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
1952	qaswcYAs.exe
1528	oioosMgo.exe
3436	WWooQsQI.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	qaswcYAs.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qaswcYAs.exe = "C:\\Users\\Admin\\bigcAkAs\\qaswcYAs.exe"	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oioosMgo.exe = "C:\\ProgramData\\faAkkYEw\\oioosMgo.exe"	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qaswcYAs.exe = "C:\\Users\\Admin\\bigcAkAs\\qaswcYAs.exe"	qaswcYAs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oioosMgo.exe = "C:\\ProgramData\\faAkkYEw\\oioosMgo.exe"	oioosMgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oioosMgo.exe = "C:\\ProgramData\\faAkkYEw\\oioosMgo.exe"	WWooQsQI.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\sheSelectRestore.mpg	qaswcYAs.exe
File opened for modification	C:\Windows\SysWOW64\sheUnregisterFind.wma	qaswcYAs.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\bigcAkAs	WWooQsQI.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\bigcAkAs\qaswcYAs	WWooQsQI.exe
File created	C:\Windows\SysWOW64\shell32.dll.exe	qaswcYAs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
4300	reg.exe
4948	reg.exe
2744	reg.exe
4816	reg.exe
2304	reg.exe
388	reg.exe
4120	reg.exe
1124	reg.exe
4264	reg.exe
2528	reg.exe
2128	reg.exe
4436	reg.exe
2276	reg.exe
2332	reg.exe
4652	reg.exe
60	reg.exe
4684	reg.exe
3452	reg.exe
3696	reg.exe
4856	reg.exe
4300	reg.exe
3836	reg.exe
3112	reg.exe
3064	reg.exe
620	reg.exe
748	reg.exe
3080	reg.exe
1288	reg.exe
2440	reg.exe
5112	reg.exe
4868	reg.exe
2672	reg.exe
864	reg.exe
372	reg.exe
2752	reg.exe
1016	reg.exe
3196	reg.exe
4252	reg.exe
3292	reg.exe
3848	reg.exe
1432	reg.exe
1348	reg.exe
3728	reg.exe
2008	reg.exe
4652	reg.exe
4628	reg.exe
2296	reg.exe
4156	reg.exe
4172	reg.exe
4672	reg.exe
4124	reg.exe
2304	reg.exe
1832	reg.exe
900	reg.exe
3992	reg.exe
4560	reg.exe
3012	reg.exe
620	reg.exe
3928	reg.exe
1124	reg.exe
1316	reg.exe
5008	reg.exe
5028	reg.exe
4856	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2104	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
2104	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
2104	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
2104	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
4244	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
4244	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
4244	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
4244	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
376	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
376	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
376	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
376	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
4552	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
4552	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
4552	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
4552	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
64	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
64	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
64	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
64	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
1928	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
1928	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
1928	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
1928	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
4736	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
4736	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
4736	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
4736	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
964	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
964	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
964	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
964	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
1432	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
1432	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
1432	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
1432	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
3616	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
3616	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
3616	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
3616	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
804	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
804	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
804	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
804	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
4748	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
4748	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
4748	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
4748	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
748	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
748	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
748	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
748	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
3124	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
3124	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
3124	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
3124	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
3588	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
3588	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
3588	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
3588	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
1868	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
1868	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
1868	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
1868	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1952	qaswcYAs.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1952	qaswcYAs.exe
1952	qaswcYAs.exe
1952	qaswcYAs.exe
1952	qaswcYAs.exe
1952	qaswcYAs.exe
1952	qaswcYAs.exe
1952	qaswcYAs.exe
1952	qaswcYAs.exe
1952	qaswcYAs.exe
1952	qaswcYAs.exe
1952	qaswcYAs.exe
1952	qaswcYAs.exe
1952	qaswcYAs.exe
1952	qaswcYAs.exe
1952	qaswcYAs.exe
1952	qaswcYAs.exe
1952	qaswcYAs.exe
1952	qaswcYAs.exe
1952	qaswcYAs.exe
1952	qaswcYAs.exe
1952	qaswcYAs.exe
1952	qaswcYAs.exe
1952	qaswcYAs.exe
1952	qaswcYAs.exe
1952	qaswcYAs.exe
1952	qaswcYAs.exe
1952	qaswcYAs.exe
1952	qaswcYAs.exe
1952	qaswcYAs.exe
1952	qaswcYAs.exe
1952	qaswcYAs.exe
1952	qaswcYAs.exe
1952	qaswcYAs.exe
1952	qaswcYAs.exe
1952	qaswcYAs.exe
1952	qaswcYAs.exe
1952	qaswcYAs.exe
1952	qaswcYAs.exe
1952	qaswcYAs.exe
1952	qaswcYAs.exe
1952	qaswcYAs.exe
1952	qaswcYAs.exe
1952	qaswcYAs.exe
1952	qaswcYAs.exe
1952	qaswcYAs.exe
1952	qaswcYAs.exe
1952	qaswcYAs.exe
1952	qaswcYAs.exe
1952	qaswcYAs.exe
1952	qaswcYAs.exe
1952	qaswcYAs.exe
1952	qaswcYAs.exe
1952	qaswcYAs.exe
1952	qaswcYAs.exe
1952	qaswcYAs.exe
1952	qaswcYAs.exe
1952	qaswcYAs.exe
1952	qaswcYAs.exe
1952	qaswcYAs.exe
1952	qaswcYAs.exe
1952	qaswcYAs.exe
1952	qaswcYAs.exe
1952	qaswcYAs.exe
1952	qaswcYAs.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 1952	2104	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe	84
PID 2104 wrote to memory of 1952	2104	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe	84
PID 2104 wrote to memory of 1952	2104	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe	84
PID 2104 wrote to memory of 1528	2104	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe	85
PID 2104 wrote to memory of 1528	2104	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe	85
PID 2104 wrote to memory of 1528	2104	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe	85
PID 2104 wrote to memory of 4032	2104	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe	87
PID 2104 wrote to memory of 4032	2104	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe	87
PID 2104 wrote to memory of 4032	2104	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe	87
PID 2104 wrote to memory of 3080	2104	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe	90
PID 2104 wrote to memory of 3080	2104	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe	90
PID 2104 wrote to memory of 3080	2104	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe	90
PID 4032 wrote to memory of 4244	4032	cmd.exe	89
PID 4032 wrote to memory of 4244	4032	cmd.exe	89
PID 4032 wrote to memory of 4244	4032	cmd.exe	89
PID 2104 wrote to memory of 4852	2104	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe	91
PID 2104 wrote to memory of 4852	2104	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe	91
PID 2104 wrote to memory of 4852	2104	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe	91
PID 2104 wrote to memory of 3580	2104	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe	92
PID 2104 wrote to memory of 3580	2104	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe	92
PID 2104 wrote to memory of 3580	2104	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe	92
PID 4244 wrote to memory of 2720	4244	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe	96
PID 4244 wrote to memory of 2720	4244	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe	96
PID 4244 wrote to memory of 2720	4244	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe	96
PID 4244 wrote to memory of 1288	4244	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe	97
PID 4244 wrote to memory of 1288	4244	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe	97
PID 4244 wrote to memory of 1288	4244	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe	97
PID 4244 wrote to memory of 4160	4244	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe	98
PID 4244 wrote to memory of 4160	4244	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe	98
PID 4244 wrote to memory of 4160	4244	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe	98
PID 4244 wrote to memory of 5084	4244	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe	100
PID 4244 wrote to memory of 5084	4244	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe	100
PID 4244 wrote to memory of 5084	4244	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe	100
PID 4244 wrote to memory of 4304	4244	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe	99
PID 4244 wrote to memory of 4304	4244	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe	99
PID 4244 wrote to memory of 4304	4244	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe	99
PID 2720 wrote to memory of 376	2720	cmd.exe	106
PID 2720 wrote to memory of 376	2720	cmd.exe	106
PID 2720 wrote to memory of 376	2720	cmd.exe	106
PID 4304 wrote to memory of 4080	4304	cmd.exe	107
PID 4304 wrote to memory of 4080	4304	cmd.exe	107
PID 4304 wrote to memory of 4080	4304	cmd.exe	107
PID 376 wrote to memory of 2476	376	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe	108
PID 376 wrote to memory of 2476	376	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe	108
PID 376 wrote to memory of 2476	376	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe	108
PID 376 wrote to memory of 1848	376	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe	110
PID 376 wrote to memory of 1848	376	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe	110
PID 376 wrote to memory of 1848	376	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe	110
PID 376 wrote to memory of 4252	376	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe	112
PID 376 wrote to memory of 4252	376	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe	112
PID 376 wrote to memory of 4252	376	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe	112
PID 376 wrote to memory of 2116	376	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe	114
PID 376 wrote to memory of 2116	376	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe	114
PID 376 wrote to memory of 2116	376	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe	114
PID 376 wrote to memory of 3336	376	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe	116
PID 376 wrote to memory of 3336	376	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe	116
PID 376 wrote to memory of 3336	376	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe	116
PID 2476 wrote to memory of 4552	2476	cmd.exe	119
PID 2476 wrote to memory of 4552	2476	cmd.exe	119
PID 2476 wrote to memory of 4552	2476	cmd.exe	119
PID 3336 wrote to memory of 3460	3336	cmd.exe	118
PID 3336 wrote to memory of 3460	3336	cmd.exe	118
PID 3336 wrote to memory of 3460	3336	cmd.exe	118
PID 4552 wrote to memory of 4884	4552	c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe	120

C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
"C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Users\Admin\bigcAkAs\qaswcYAs.exe
  "C:\Users\Admin\bigcAkAs\qaswcYAs.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:1952
- C:\ProgramData\faAkkYEw\oioosMgo.exe
  "C:\ProgramData\faAkkYEw\oioosMgo.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1528
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4032
- - C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
    C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4244
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2720
    - - C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:376
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215"
        8⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:64
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215"
        10⤵
        
        PID:680
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215"
        12⤵
        
        PID:3888
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215"
        14⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215"
        16⤵
        
        PID:380
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215"
        18⤵
        
        PID:3376
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215"
        20⤵
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215"
        22⤵
        
        PID:4448
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215"
        24⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215"
        26⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215"
        28⤵
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215"
        30⤵
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215"
        32⤵
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215
        33⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215"
        34⤵
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215
        35⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215"
        36⤵
        
        PID:3924
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215
        37⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215"
        38⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215
        39⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215"
        40⤵
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215
        41⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215"
        42⤵
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215
        43⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215"
        44⤵
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215
        45⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215"
        46⤵
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215
        47⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215"
        48⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215
        49⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215"
        50⤵
        
        PID:3848
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215
        51⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215"
        52⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215
        53⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215"
        54⤵
        
        PID:4024
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215
        55⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215"
        56⤵
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215
        57⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215"
        58⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215
        59⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215"
        60⤵
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215
        61⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215"
        62⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215
        63⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215"
        64⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215
        65⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215"
        66⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215
        67⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215"
        68⤵
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215
        69⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215"
        70⤵
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215
        71⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215"
        72⤵
        
        PID:724
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215
        73⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215"
        74⤵
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215
        75⤵
        
        PID:800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215"
        76⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215
        77⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215"
        78⤵
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215
        79⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215"
        80⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215
        81⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215"
        82⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215
        83⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215"
        84⤵
        
        PID:4264
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215
        85⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215"
        86⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215
        87⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215"
        88⤵
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215
        89⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215"
        90⤵
        
        PID:4228
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215
        91⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215"
        92⤵
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215
        93⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215"
        94⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215
        95⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215"
        96⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215
        97⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215"
        98⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215
        99⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215"
        100⤵
        
        PID:3848
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215
        101⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215"
        102⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215
        103⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215"
        104⤵
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215
        105⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215"
        106⤵
        
        PID:3912
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215
        107⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215"
        108⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215
        109⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215"
        110⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215
        111⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215"
        112⤵
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215
        113⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215"
        114⤵
        
        PID:816
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215
        115⤵
        
        PID:528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215"
        116⤵
        
        PID:4088
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215
        117⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215"
        118⤵
        
        PID:3344
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215
        119⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215"
        120⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe
        
        C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215
        121⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215"
        122⤵
        
        PID:620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nEEUkIME.bat" "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe""
        122⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        Modifies registry key
        
        PID:388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hUgkQAkM.bat" "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe""
        120⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        
        PID:4532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        Modifies registry key
        
        PID:748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IIMUoQsU.bat" "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe""
        118⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        
        PID:1844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        
        PID:3300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uYgIgUAA.bat" "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe""
        116⤵
        
        PID:808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mGEoMoMc.bat" "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe""
        114⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        
        PID:1220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        
        PID:2848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        Modifies registry key
        
        PID:2304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bSoAgckE.bat" "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe""
        112⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAoEAYkI.bat" "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe""
        110⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        
        PID:4364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        Modifies registry key
        
        PID:3196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hUwEwkoo.bat" "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe""
        108⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        Modifies registry key
        
        PID:3696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LKcUIcgI.bat" "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe""
        106⤵
        
        PID:536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:4488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zswwoMck.bat" "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe""
        104⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        Modifies registry key
        
        PID:3064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gqQQAkEg.bat" "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe""
        102⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        
        PID:3100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KyQkwMUo.bat" "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe""
        100⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WkckQoIc.bat" "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe""
        98⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        
        PID:5108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        
        PID:3204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SQMooEYo.bat" "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe""
        96⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QOcMsckI.bat" "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe""
        94⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        
        PID:1888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        Modifies registry key
        
        PID:3728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JSIUoswQ.bat" "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe""
        92⤵
        
        PID:724
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        Modifies registry key
        
        PID:4124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        Modifies registry key
        
        PID:4816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PeMkEoQM.bat" "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe""
        90⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        
        PID:1964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        Modifies registry key
        
        PID:60
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RCgkgQkk.bat" "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe""
        88⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        Modifies registry key
        
        PID:1432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:4920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GaoEMoQQ.bat" "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe""
        86⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sUgEEEII.bat" "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe""
        84⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:2476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        Modifies registry key
        
        PID:3112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OUUMgEgU.bat" "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe""
        82⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VGUEcMoI.bat" "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe""
        80⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:1496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\feggAIQU.bat" "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe""
        78⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        Modifies registry key
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        Modifies registry key
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        
        PID:4244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zgEogYEI.bat" "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe""
        76⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ouswEkQw.bat" "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe""
        74⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        Modifies registry key
        
        PID:620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        Modifies registry key
        
        PID:4652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        Modifies registry key
        
        PID:4672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:3156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sEcwIYEA.bat" "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe""
        72⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        Modifies registry key
        
        PID:2276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pmgAwYko.bat" "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe""
        70⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BGsQgkUE.bat" "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe""
        68⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:4516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZyQkccgY.bat" "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe""
        66⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        Modifies registry key
        
        PID:4436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        Modifies registry key
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        Modifies registry key
        
        PID:4172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eOYwcIkk.bat" "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe""
        64⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FSwAkMYA.bat" "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe""
        62⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        Modifies registry key
        
        PID:3848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pwAwMscw.bat" "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe""
        60⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        Modifies registry key
        
        PID:4156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        Modifies registry key
        
        PID:4560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RocIEcYE.bat" "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe""
        58⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ywMsYcYU.bat" "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe""
        56⤵
        
        PID:420
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:3300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eYwMQEIM.bat" "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe""
        54⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:4792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        Modifies registry key
        
        PID:4264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CKQggkwQ.bat" "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe""
        52⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:4544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        Modifies registry key
        
        PID:2128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:4584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rKkIgIEk.bat" "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe""
        50⤵
        
        PID:724
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TwoEoYAA.bat" "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe""
        48⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        Modifies registry key
        
        PID:4856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        Modifies registry key
        
        PID:5008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        Modifies registry key
        
        PID:5028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZMEMQocM.bat" "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe""
        46⤵
        
        PID:372
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fwkoskks.bat" "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe""
        44⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:3724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eWUwgEQA.bat" "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe""
        42⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        Modifies registry key
        
        PID:4868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ksYEAwYw.bat" "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe""
        40⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:4588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        Modifies registry key
        
        PID:1316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:4160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        Modifies registry key
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nQkQQQQQ.bat" "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe""
        38⤵
        
        PID:4728
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        39⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ROIkEssY.bat" "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe""
        36⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        
        PID:3372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        Modifies registry key
        
        PID:4628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zeEIwEMM.bat" "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe""
        34⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        Modifies registry key
        
        PID:5112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\euUYUUwQ.bat" "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe""
        32⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PIoYQwwE.bat" "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe""
        30⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:4252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NkscwAss.bat" "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe""
        28⤵
        
        PID:816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:3848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vmowUggk.bat" "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe""
        26⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        Modifies registry key
        
        PID:864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YOQQgIwA.bat" "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe""
        24⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:2560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        Modifies registry key
        
        PID:1124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zOowIYIE.bat" "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe""
        22⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:4544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KqQUgQws.bat" "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe""
        20⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\akwEAUIs.bat" "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe""
        18⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        Modifies registry key
        
        PID:1124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TacQMkss.bat" "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe""
        16⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        Modifies registry key
        
        PID:4684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\owoYEAcg.bat" "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe""
        14⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        Modifies registry key
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AWkwAUIg.bat" "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe""
        12⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\akkQAAgk.bat" "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe""
        10⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        Modifies registry key
        
        PID:4120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eOcIEMks.bat" "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe""
        8⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:216
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1848
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:4252
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:2116
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fmIosQgQ.bat" "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe""
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:3460
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies registry key
      PID:1288
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:4160
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KQooYUko.bat" "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4304
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:4080
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:5084
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:3080
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:4852
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:3580
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sEsQUgAI.bat" "C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215.exe""
  2⤵
  PID:4996
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:948

C:\ProgramData\AAoMUsoA\WWooQsQI.exe
C:\ProgramData\AAoMUsoA\WWooQsQI.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:3436

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AAoMUsoA\WWooQsQI.exe

Filesize
478KB

MD5
b26d072b090c153e7143ed9d0196ef89

SHA1
bcc979c868d44fe76577d64e4942e7d5890f95f2

SHA256
6310baa588209859d258c6a5ece4bb0eb004587f9d14552e84dfe63125f1ebbf

SHA512
159de4c87e2935395769f53569e3f60da8a25f9b80e67e6e4bde9201aa221aca0c212812b7d9ba991affd1cf9038aa7e0b59d6200cebc7ac1a9ffd85fea6ddcc

Download Submit
C:\ProgramData\AAoMUsoA\WWooQsQI.exe

Filesize
478KB

MD5
b26d072b090c153e7143ed9d0196ef89

SHA1
bcc979c868d44fe76577d64e4942e7d5890f95f2

SHA256
6310baa588209859d258c6a5ece4bb0eb004587f9d14552e84dfe63125f1ebbf

SHA512
159de4c87e2935395769f53569e3f60da8a25f9b80e67e6e4bde9201aa221aca0c212812b7d9ba991affd1cf9038aa7e0b59d6200cebc7ac1a9ffd85fea6ddcc

Download Submit
C:\ProgramData\faAkkYEw\oioosMgo.exe

Filesize
480KB

MD5
ce2fdd682ecea26da075b9e49ae0dd4e

SHA1
a1e6443f361a4449f48d306df5d045b2f5ab3a5e

SHA256
170cc0e061fb7ef1faa8de9faf082ee88e601010ff21756ba2ac7fba42932f37

SHA512
c2a5d1b6790b0dd8cae06f226953238610487a862522f7dc0167123d56e727d5691b6e0cd5465264dbacc43a1ba314e6aee03a5537ea310bbf4c79b5f188e08d

Download Submit
C:\ProgramData\faAkkYEw\oioosMgo.exe

Filesize
480KB

MD5
ce2fdd682ecea26da075b9e49ae0dd4e

SHA1
a1e6443f361a4449f48d306df5d045b2f5ab3a5e

SHA256
170cc0e061fb7ef1faa8de9faf082ee88e601010ff21756ba2ac7fba42932f37

SHA512
c2a5d1b6790b0dd8cae06f226953238610487a862522f7dc0167123d56e727d5691b6e0cd5465264dbacc43a1ba314e6aee03a5537ea310bbf4c79b5f188e08d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AWkwAUIg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\KQooYUko.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\KqQUgQws.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\NkscwAss.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\PIoYQwwE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ROIkEssY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\TacQMkss.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\YOQQgIwA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\akkQAAgk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\akwEAUIs.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215

Filesize
6KB

MD5
d3ab425b258de25415358116b5a507d8

SHA1
5f1cd2914105fcc99d08d0dfd07ab52cc8be2095

SHA256
5d6f342681f420179a8832d6cfb0a1081a8a7ce1268736ef95a63896137694d5

SHA512
14561e1660ccdc68f1a51785b2617676842562942336921c2e2adc2860190796f9cebf7087fd0c1be745cc22cf52831eaa2d1f9e45c9049af6ad4b8dbcc4ec06

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215

Filesize
6KB

MD5
d3ab425b258de25415358116b5a507d8

SHA1
5f1cd2914105fcc99d08d0dfd07ab52cc8be2095

SHA256
5d6f342681f420179a8832d6cfb0a1081a8a7ce1268736ef95a63896137694d5

SHA512
14561e1660ccdc68f1a51785b2617676842562942336921c2e2adc2860190796f9cebf7087fd0c1be745cc22cf52831eaa2d1f9e45c9049af6ad4b8dbcc4ec06

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215

Filesize
6KB

MD5
d3ab425b258de25415358116b5a507d8

SHA1
5f1cd2914105fcc99d08d0dfd07ab52cc8be2095

SHA256
5d6f342681f420179a8832d6cfb0a1081a8a7ce1268736ef95a63896137694d5

SHA512
14561e1660ccdc68f1a51785b2617676842562942336921c2e2adc2860190796f9cebf7087fd0c1be745cc22cf52831eaa2d1f9e45c9049af6ad4b8dbcc4ec06

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215

Filesize
6KB

MD5
d3ab425b258de25415358116b5a507d8

SHA1
5f1cd2914105fcc99d08d0dfd07ab52cc8be2095

SHA256
5d6f342681f420179a8832d6cfb0a1081a8a7ce1268736ef95a63896137694d5

SHA512
14561e1660ccdc68f1a51785b2617676842562942336921c2e2adc2860190796f9cebf7087fd0c1be745cc22cf52831eaa2d1f9e45c9049af6ad4b8dbcc4ec06

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215

Filesize
6KB

MD5
d3ab425b258de25415358116b5a507d8

SHA1
5f1cd2914105fcc99d08d0dfd07ab52cc8be2095

SHA256
5d6f342681f420179a8832d6cfb0a1081a8a7ce1268736ef95a63896137694d5

SHA512
14561e1660ccdc68f1a51785b2617676842562942336921c2e2adc2860190796f9cebf7087fd0c1be745cc22cf52831eaa2d1f9e45c9049af6ad4b8dbcc4ec06

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215

Filesize
6KB

MD5
d3ab425b258de25415358116b5a507d8

SHA1
5f1cd2914105fcc99d08d0dfd07ab52cc8be2095

SHA256
5d6f342681f420179a8832d6cfb0a1081a8a7ce1268736ef95a63896137694d5

SHA512
14561e1660ccdc68f1a51785b2617676842562942336921c2e2adc2860190796f9cebf7087fd0c1be745cc22cf52831eaa2d1f9e45c9049af6ad4b8dbcc4ec06

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215

Filesize
6KB

MD5
d3ab425b258de25415358116b5a507d8

SHA1
5f1cd2914105fcc99d08d0dfd07ab52cc8be2095

SHA256
5d6f342681f420179a8832d6cfb0a1081a8a7ce1268736ef95a63896137694d5

SHA512
14561e1660ccdc68f1a51785b2617676842562942336921c2e2adc2860190796f9cebf7087fd0c1be745cc22cf52831eaa2d1f9e45c9049af6ad4b8dbcc4ec06

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215

Filesize
6KB

MD5
d3ab425b258de25415358116b5a507d8

SHA1
5f1cd2914105fcc99d08d0dfd07ab52cc8be2095

SHA256
5d6f342681f420179a8832d6cfb0a1081a8a7ce1268736ef95a63896137694d5

SHA512
14561e1660ccdc68f1a51785b2617676842562942336921c2e2adc2860190796f9cebf7087fd0c1be745cc22cf52831eaa2d1f9e45c9049af6ad4b8dbcc4ec06

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215

Filesize
6KB

MD5
d3ab425b258de25415358116b5a507d8

SHA1
5f1cd2914105fcc99d08d0dfd07ab52cc8be2095

SHA256
5d6f342681f420179a8832d6cfb0a1081a8a7ce1268736ef95a63896137694d5

SHA512
14561e1660ccdc68f1a51785b2617676842562942336921c2e2adc2860190796f9cebf7087fd0c1be745cc22cf52831eaa2d1f9e45c9049af6ad4b8dbcc4ec06

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215

Filesize
6KB

MD5
d3ab425b258de25415358116b5a507d8

SHA1
5f1cd2914105fcc99d08d0dfd07ab52cc8be2095

SHA256
5d6f342681f420179a8832d6cfb0a1081a8a7ce1268736ef95a63896137694d5

SHA512
14561e1660ccdc68f1a51785b2617676842562942336921c2e2adc2860190796f9cebf7087fd0c1be745cc22cf52831eaa2d1f9e45c9049af6ad4b8dbcc4ec06

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215

Filesize
6KB

MD5
d3ab425b258de25415358116b5a507d8

SHA1
5f1cd2914105fcc99d08d0dfd07ab52cc8be2095

SHA256
5d6f342681f420179a8832d6cfb0a1081a8a7ce1268736ef95a63896137694d5

SHA512
14561e1660ccdc68f1a51785b2617676842562942336921c2e2adc2860190796f9cebf7087fd0c1be745cc22cf52831eaa2d1f9e45c9049af6ad4b8dbcc4ec06

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215

Filesize
6KB

MD5
d3ab425b258de25415358116b5a507d8

SHA1
5f1cd2914105fcc99d08d0dfd07ab52cc8be2095

SHA256
5d6f342681f420179a8832d6cfb0a1081a8a7ce1268736ef95a63896137694d5

SHA512
14561e1660ccdc68f1a51785b2617676842562942336921c2e2adc2860190796f9cebf7087fd0c1be745cc22cf52831eaa2d1f9e45c9049af6ad4b8dbcc4ec06

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215

Filesize
6KB

MD5
d3ab425b258de25415358116b5a507d8

SHA1
5f1cd2914105fcc99d08d0dfd07ab52cc8be2095

SHA256
5d6f342681f420179a8832d6cfb0a1081a8a7ce1268736ef95a63896137694d5

SHA512
14561e1660ccdc68f1a51785b2617676842562942336921c2e2adc2860190796f9cebf7087fd0c1be745cc22cf52831eaa2d1f9e45c9049af6ad4b8dbcc4ec06

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215

Filesize
6KB

MD5
d3ab425b258de25415358116b5a507d8

SHA1
5f1cd2914105fcc99d08d0dfd07ab52cc8be2095

SHA256
5d6f342681f420179a8832d6cfb0a1081a8a7ce1268736ef95a63896137694d5

SHA512
14561e1660ccdc68f1a51785b2617676842562942336921c2e2adc2860190796f9cebf7087fd0c1be745cc22cf52831eaa2d1f9e45c9049af6ad4b8dbcc4ec06

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215

Filesize
6KB

MD5
d3ab425b258de25415358116b5a507d8

SHA1
5f1cd2914105fcc99d08d0dfd07ab52cc8be2095

SHA256
5d6f342681f420179a8832d6cfb0a1081a8a7ce1268736ef95a63896137694d5

SHA512
14561e1660ccdc68f1a51785b2617676842562942336921c2e2adc2860190796f9cebf7087fd0c1be745cc22cf52831eaa2d1f9e45c9049af6ad4b8dbcc4ec06

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215

Filesize
6KB

MD5
d3ab425b258de25415358116b5a507d8

SHA1
5f1cd2914105fcc99d08d0dfd07ab52cc8be2095

SHA256
5d6f342681f420179a8832d6cfb0a1081a8a7ce1268736ef95a63896137694d5

SHA512
14561e1660ccdc68f1a51785b2617676842562942336921c2e2adc2860190796f9cebf7087fd0c1be745cc22cf52831eaa2d1f9e45c9049af6ad4b8dbcc4ec06

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215

Filesize
6KB

MD5
d3ab425b258de25415358116b5a507d8

SHA1
5f1cd2914105fcc99d08d0dfd07ab52cc8be2095

SHA256
5d6f342681f420179a8832d6cfb0a1081a8a7ce1268736ef95a63896137694d5

SHA512
14561e1660ccdc68f1a51785b2617676842562942336921c2e2adc2860190796f9cebf7087fd0c1be745cc22cf52831eaa2d1f9e45c9049af6ad4b8dbcc4ec06

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215

Filesize
6KB

MD5
d3ab425b258de25415358116b5a507d8

SHA1
5f1cd2914105fcc99d08d0dfd07ab52cc8be2095

SHA256
5d6f342681f420179a8832d6cfb0a1081a8a7ce1268736ef95a63896137694d5

SHA512
14561e1660ccdc68f1a51785b2617676842562942336921c2e2adc2860190796f9cebf7087fd0c1be745cc22cf52831eaa2d1f9e45c9049af6ad4b8dbcc4ec06

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215

Filesize
6KB

MD5
d3ab425b258de25415358116b5a507d8

SHA1
5f1cd2914105fcc99d08d0dfd07ab52cc8be2095

SHA256
5d6f342681f420179a8832d6cfb0a1081a8a7ce1268736ef95a63896137694d5

SHA512
14561e1660ccdc68f1a51785b2617676842562942336921c2e2adc2860190796f9cebf7087fd0c1be745cc22cf52831eaa2d1f9e45c9049af6ad4b8dbcc4ec06

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0454123be71623cf0f54d69931613db919f4dcbe40f1ff0fa66e8d77fe5e215

Filesize
6KB

MD5
d3ab425b258de25415358116b5a507d8

SHA1
5f1cd2914105fcc99d08d0dfd07ab52cc8be2095

SHA256
5d6f342681f420179a8832d6cfb0a1081a8a7ce1268736ef95a63896137694d5

SHA512
14561e1660ccdc68f1a51785b2617676842562942336921c2e2adc2860190796f9cebf7087fd0c1be745cc22cf52831eaa2d1f9e45c9049af6ad4b8dbcc4ec06

Download Submit
C:\Users\Admin\AppData\Local\Temp\eOcIEMks.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\eWUwgEQA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\euUYUUwQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fmIosQgQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ksYEAwYw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\nQkQQQQQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\owoYEAcg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\vmowUggk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\zOowIYIE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\zeEIwEMM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\bigcAkAs\qaswcYAs.exe

Filesize
478KB

MD5
7ce591249160cd86517d44e4cdf8a21a

SHA1
2161557a9d1ba825cd26b78402785c8dd6620b24

SHA256
75ab69059fbd26bca0e34e052f07e906e2e9ed6b1d750d2eb5a235920dd739dd

SHA512
d02607852a94d0b669db45023a4b04715493203bbd74b3d54e8e72211b829a273e940b515cacdd0815bdd67a70ea383d4b8584a3c478dd8b626ae01c32f3cf0d

Download Submit
C:\Users\Admin\bigcAkAs\qaswcYAs.exe

Filesize
478KB

MD5
7ce591249160cd86517d44e4cdf8a21a

SHA1
2161557a9d1ba825cd26b78402785c8dd6620b24

SHA256
75ab69059fbd26bca0e34e052f07e906e2e9ed6b1d750d2eb5a235920dd739dd

SHA512
d02607852a94d0b669db45023a4b04715493203bbd74b3d54e8e72211b829a273e940b515cacdd0815bdd67a70ea383d4b8584a3c478dd8b626ae01c32f3cf0d

Download Submit
memory/64-188-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/376-168-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/748-258-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/800-316-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/804-249-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/964-225-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1016-325-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1036-312-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1080-298-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1288-279-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1432-239-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1528-236-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1528-145-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1836-300-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1868-271-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1928-203-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1952-234-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1952-144-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1976-291-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2076-313-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2080-323-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2080-324-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2104-301-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2104-135-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2104-224-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2308-275-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2392-309-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2392-308-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2804-326-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3020-307-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3020-306-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3044-320-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3044-321-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3084-293-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3084-294-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3092-296-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3092-297-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3124-262-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3260-283-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3336-302-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3336-303-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3436-238-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3436-146-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3456-311-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3456-310-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3460-322-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3588-267-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3616-244-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3616-247-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4076-287-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4084-305-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4108-299-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4244-158-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4356-295-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4408-304-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4492-317-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4492-318-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4524-315-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4552-173-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4552-181-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4736-213-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4740-319-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4748-255-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4800-314-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download