a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f

Analysis

max time kernel
172s
max time network
211s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2022, 18:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
Size

991KB
MD5

6637e6465738fbb8abbecedc4c8aa670
SHA1

4285cc2df049798aa78377d1480ec6e3ff6c17c4
SHA256

a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f
SHA512

02b5e7268be3eebc8b3bebe6b469608337ff41fbfcb86f4eace942f1411be727c356de04a6fae4687ec6e56b60f49064ae6ebc5dacb6f06f72e107e9924f0fbb
SSDEEP

24576:kdb8dlMwPtNNajzoCtJXTQ67b6y41/x+g3Y+x:kdb8M+NAz1JXb7b6RDdx

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\BAMEwIQU\\hiwEogcM.exe,"	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\BAMEwIQU\\hiwEogcM.exe,"	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe

Modifies visibility of file extensions in Explorer 2 TTPs 31 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 31 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
4636	OCcYkkoM.exe
2484	hiwEogcM.exe
3656	msoggYUY.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hiwEogcM.exe = "C:\\ProgramData\\BAMEwIQU\\hiwEogcM.exe"	hiwEogcM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hiwEogcM.exe = "C:\\ProgramData\\BAMEwIQU\\hiwEogcM.exe"	msoggYUY.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OCcYkkoM.exe = "C:\\Users\\Admin\\nIAoUgsw\\OCcYkkoM.exe"	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hiwEogcM.exe = "C:\\ProgramData\\BAMEwIQU\\hiwEogcM.exe"	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OCcYkkoM.exe = "C:\\Users\\Admin\\nIAoUgsw\\OCcYkkoM.exe"	OCcYkkoM.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\nIAoUgsw	msoggYUY.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\nIAoUgsw\OCcYkkoM	msoggYUY.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
644	reg.exe
1312	reg.exe
4568	reg.exe
4552	reg.exe
4140	reg.exe
1048	reg.exe
3608	reg.exe
4440	reg.exe
4164	reg.exe
1112	reg.exe
3776	reg.exe
1912	reg.exe
1928	reg.exe
4712	reg.exe
4144	reg.exe
3288	reg.exe
4796	reg.exe
1708	reg.exe
1800	reg.exe
1640	reg.exe
3152	reg.exe
1124	reg.exe
4424	reg.exe
4112	reg.exe
4672	reg.exe
2108	reg.exe
2124	reg.exe
1492	reg.exe
3764	reg.exe
4844	reg.exe
2608	reg.exe
2252	reg.exe
3948	reg.exe
2376	reg.exe
4988	reg.exe
4788	reg.exe
2748	reg.exe
4320	reg.exe
3260	reg.exe
3996	reg.exe
4448	reg.exe
2480	reg.exe
3132	reg.exe
4108	reg.exe
3108	reg.exe
3244	reg.exe
696	reg.exe
4192	reg.exe
740	reg.exe
1660	reg.exe
2304	reg.exe
1928	reg.exe
5056	reg.exe
2576	reg.exe
2412	reg.exe
1148	reg.exe
2868	reg.exe
3244	reg.exe
4140	reg.exe
4620	reg.exe
1412	reg.exe
3556	reg.exe
3196	reg.exe
3108	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4180	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
4180	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
4180	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
4180	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
4408	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
4408	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
4408	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
4408	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
4532	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
4532	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
4532	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
4532	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
2396	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
2396	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
2396	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
2396	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
2200	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
2200	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
2200	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
2200	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
4312	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
4312	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
4312	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
4312	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
2024	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
2024	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
2024	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
2024	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
5056	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
5056	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
5056	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
5056	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
4612	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
4612	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
4612	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
4612	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
1516	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
1516	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
1516	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
1516	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
4908	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
4908	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
4908	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
4908	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
5036	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
5036	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
5036	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
5036	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
4728	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
4728	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
4728	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
4728	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
2232	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
2232	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
2232	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
2232	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
1904	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
1904	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
1904	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
1904	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
1108	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
1108	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
1108	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
1108	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4180 wrote to memory of 4636	4180	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe	82
PID 4180 wrote to memory of 4636	4180	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe	82
PID 4180 wrote to memory of 4636	4180	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe	82
PID 4180 wrote to memory of 2484	4180	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe	83
PID 4180 wrote to memory of 2484	4180	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe	83
PID 4180 wrote to memory of 2484	4180	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe	83
PID 4180 wrote to memory of 3912	4180	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe	85
PID 4180 wrote to memory of 3912	4180	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe	85
PID 4180 wrote to memory of 3912	4180	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe	85
PID 3912 wrote to memory of 4408	3912	cmd.exe	87
PID 3912 wrote to memory of 4408	3912	cmd.exe	87
PID 3912 wrote to memory of 4408	3912	cmd.exe	87
PID 4180 wrote to memory of 4192	4180	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe	88
PID 4180 wrote to memory of 4192	4180	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe	88
PID 4180 wrote to memory of 4192	4180	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe	88
PID 4180 wrote to memory of 1752	4180	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe	91
PID 4180 wrote to memory of 1752	4180	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe	91
PID 4180 wrote to memory of 1752	4180	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe	91
PID 4180 wrote to memory of 1312	4180	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe	90
PID 4180 wrote to memory of 1312	4180	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe	90
PID 4180 wrote to memory of 1312	4180	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe	90
PID 4408 wrote to memory of 2468	4408	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe	94
PID 4408 wrote to memory of 2468	4408	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe	94
PID 4408 wrote to memory of 2468	4408	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe	94
PID 2468 wrote to memory of 4532	2468	cmd.exe	96
PID 2468 wrote to memory of 4532	2468	cmd.exe	96
PID 2468 wrote to memory of 4532	2468	cmd.exe	96
PID 4408 wrote to memory of 2108	4408	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe	97
PID 4408 wrote to memory of 2108	4408	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe	97
PID 4408 wrote to memory of 2108	4408	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe	97
PID 4408 wrote to memory of 2124	4408	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe	98
PID 4408 wrote to memory of 2124	4408	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe	98
PID 4408 wrote to memory of 2124	4408	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe	98
PID 4408 wrote to memory of 3152	4408	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe	102
PID 4408 wrote to memory of 3152	4408	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe	102
PID 4408 wrote to memory of 3152	4408	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe	102
PID 4408 wrote to memory of 640	4408	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe	100
PID 4408 wrote to memory of 640	4408	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe	100
PID 4408 wrote to memory of 640	4408	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe	100
PID 4532 wrote to memory of 4396	4532	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe	103
PID 4532 wrote to memory of 4396	4532	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe	103
PID 4532 wrote to memory of 4396	4532	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe	103
PID 4532 wrote to memory of 3996	4532	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe	104
PID 4532 wrote to memory of 3996	4532	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe	104
PID 4532 wrote to memory of 3996	4532	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe	104
PID 4532 wrote to memory of 2448	4532	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe	105
PID 4532 wrote to memory of 2448	4532	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe	105
PID 4532 wrote to memory of 2448	4532	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe	105
PID 4532 wrote to memory of 5020	4532	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe	106
PID 4532 wrote to memory of 5020	4532	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe	106
PID 4532 wrote to memory of 5020	4532	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe	106
PID 4532 wrote to memory of 2776	4532	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe	107
PID 4532 wrote to memory of 2776	4532	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe	107
PID 4532 wrote to memory of 2776	4532	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe	107
PID 4396 wrote to memory of 2396	4396	cmd.exe	115
PID 4396 wrote to memory of 2396	4396	cmd.exe	115
PID 4396 wrote to memory of 2396	4396	cmd.exe	115
PID 2776 wrote to memory of 4324	2776	cmd.exe	118
PID 2776 wrote to memory of 4324	2776	cmd.exe	118
PID 2776 wrote to memory of 4324	2776	cmd.exe	118
PID 640 wrote to memory of 5092	640	cmd.exe	117
PID 640 wrote to memory of 5092	640	cmd.exe	117
PID 640 wrote to memory of 5092	640	cmd.exe	117
PID 2396 wrote to memory of 1568	2396	a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe	120

C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
"C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4180
- C:\Users\Admin\nIAoUgsw\OCcYkkoM.exe
  "C:\Users\Admin\nIAoUgsw\OCcYkkoM.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4636
- C:\ProgramData\BAMEwIQU\hiwEogcM.exe
  "C:\ProgramData\BAMEwIQU\hiwEogcM.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2484
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3912
- - C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
    C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4408
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2468
    - - C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
        
        C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4532
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
        
        C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f"
        8⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
        
        C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f"
        10⤵
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
        
        C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f"
        12⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
        
        C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f"
        14⤵
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
        
        C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f"
        16⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
        
        C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f"
        18⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
        
        C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f"
        20⤵
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
        
        C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f"
        22⤵
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
        
        C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f"
        24⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
        
        C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f"
        26⤵
        
        PID:3132
        
        C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
        
        C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f"
        28⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
        
        C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f"
        30⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
        
        C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f"
        32⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
        
        C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f
        33⤵
        
        PID:564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f"
        34⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
        
        C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f
        35⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f"
        36⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
        
        C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f
        37⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f"
        38⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
        
        C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f
        39⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f"
        40⤵
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
        
        C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f
        41⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f"
        42⤵
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
        
        C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f
        43⤵
        
        PID:980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f"
        44⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
        
        C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f
        45⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f"
        46⤵
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
        
        C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f
        47⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f"
        48⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
        
        C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f
        49⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f"
        50⤵
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
        
        C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f
        51⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f"
        52⤵
        
        PID:504
        
        C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
        
        C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f
        53⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f"
        54⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
        
        C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f
        55⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f"
        56⤵
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
        
        C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f
        57⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f"
        58⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
        
        C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f
        59⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f"
        60⤵
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
        
        C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f
        61⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f"
        62⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe
        
        C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f
        63⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f"
        64⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mywgogwo.bat" "C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe""
        64⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        Modifies registry key
        
        PID:3108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OicgMwwA.bat" "C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe""
        62⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\toMswkIE.bat" "C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe""
        60⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        Modifies registry key
        
        PID:696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        Modifies registry key
        
        PID:1640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZYEUcUYo.bat" "C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe""
        58⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        Modifies registry key
        
        PID:1112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        Modifies registry key
        
        PID:3196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UmoAUggA.bat" "C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe""
        56⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        Modifies registry key
        
        PID:3244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GyQcgEkI.bat" "C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe""
        54⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        Modifies registry key
        
        PID:2412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        Modifies registry key
        
        PID:4620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSgYQsgc.bat" "C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe""
        52⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        Modifies registry key
        
        PID:3556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        Modifies registry key
        
        PID:2576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lQwsQEAg.bat" "C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe""
        50⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        Modifies registry key
        
        PID:3108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ikQYQsYI.bat" "C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe""
        48⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        Modifies registry key
        
        PID:1800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        Modifies registry key
        
        PID:3776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        Modifies registry key
        
        PID:4108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TSQgMMEI.bat" "C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe""
        46⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NQwwssIU.bat" "C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe""
        44⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        Modifies registry key
        
        PID:4672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        Modifies registry key
        
        PID:4140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        Modifies registry key
        
        PID:3260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        
        PID:3904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OoIoMMMk.bat" "C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe""
        42⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        Modifies registry key
        
        PID:4112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tIkIsMYI.bat" "C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe""
        40⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IcIgsMQg.bat" "C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe""
        38⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        Modifies registry key
        
        PID:4424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        Modifies registry key
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SaksYMss.bat" "C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe""
        36⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        
        PID:788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        Modifies registry key
        
        PID:1412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        Modifies registry key
        
        PID:5056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        Modifies registry key
        
        PID:3288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zuIAUEgM.bat" "C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe""
        34⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WiAMEIck.bat" "C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe""
        32⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:3444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        Modifies registry key
        
        PID:4320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dossooIE.bat" "C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe""
        30⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        Modifies registry key
        
        PID:4988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NYMYgYYw.bat" "C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe""
        28⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        Modifies registry key
        
        PID:2376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        Modifies registry key
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yGYQYgIY.bat" "C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe""
        26⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:2108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        Modifies registry key
        
        PID:4140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        Modifies registry key
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XAosQggo.bat" "C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe""
        24⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        Modifies registry key
        
        PID:2748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        Modifies registry key
        
        PID:3948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UusAMsAg.bat" "C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe""
        22⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xAUUkgQY.bat" "C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe""
        20⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        Modifies registry key
        
        PID:4440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:4712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        Modifies registry key
        
        PID:4788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TUUEgAwE.bat" "C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe""
        18⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        Modifies registry key
        
        PID:3132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HqMkEckc.bat" "C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe""
        16⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        Modifies registry key
        
        PID:3608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        Modifies registry key
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tWMoQAYM.bat" "C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe""
        14⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        Modifies registry key
        
        PID:2868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        Modifies registry key
        
        PID:1148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\isUIsgsg.bat" "C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe""
        12⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        Modifies registry key
        
        PID:740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        Modifies registry key
        
        PID:4796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UGsAAwQc.bat" "C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe""
        10⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:3180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nuwIAQMg.bat" "C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe""
        8⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:4724
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3996
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:2448
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:5020
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GAEYssEE.bat" "C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe""
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:4324
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies registry key
      PID:2108
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:2124
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\muMAIAQg.bat" "C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:640
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:5092
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:3152
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:4192
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:1312
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1752

C:\ProgramData\vOIQEkwU\msoggYUY.exe
C:\ProgramData\vOIQEkwU\msoggYUY.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:3656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\BAMEwIQU\hiwEogcM.exe

Filesize
981KB

MD5
9000b89572f599cbd940e3939182113e

SHA1
e477ea6ac96f93ff2f9cf9cc37f13173a3d8d77c

SHA256
ba0e430aaf2ef6a7a684b6e436d539e2a1bbc4989de10787f11b3f6b58e54cce

SHA512
fd672c7530239f5c78b77fa442f8b3626dc30040fbae763fa71779e380d6c4938ce6ba112e6a256b3565a0647cfcfb77785c2e5cbd1607f9d595613d5b0a78ca

Download Submit
C:\ProgramData\BAMEwIQU\hiwEogcM.exe

Filesize
981KB

MD5
9000b89572f599cbd940e3939182113e

SHA1
e477ea6ac96f93ff2f9cf9cc37f13173a3d8d77c

SHA256
ba0e430aaf2ef6a7a684b6e436d539e2a1bbc4989de10787f11b3f6b58e54cce

SHA512
fd672c7530239f5c78b77fa442f8b3626dc30040fbae763fa71779e380d6c4938ce6ba112e6a256b3565a0647cfcfb77785c2e5cbd1607f9d595613d5b0a78ca

Download Submit
C:\ProgramData\vOIQEkwU\msoggYUY.exe

Filesize
980KB

MD5
594245e3caf3e1f1ff491a3a094c5a92

SHA1
2ff7ce3e39eb42a8e7424bcd3194fc3fda4f422e

SHA256
03117e4d7225999c06dbea757fd4dd27afd9a67b51ea0a69b9dfdbeb697e5d66

SHA512
1df41a3621b7623de85c6a8fea617d4435c15d6ba6a8c86e32ae30b00f343fb6b66b2ef54fd1bea2884013cc1fe2a17a3480d11c399115713497f7dff8980fb7

Download Submit
C:\ProgramData\vOIQEkwU\msoggYUY.exe

Filesize
980KB

MD5
594245e3caf3e1f1ff491a3a094c5a92

SHA1
2ff7ce3e39eb42a8e7424bcd3194fc3fda4f422e

SHA256
03117e4d7225999c06dbea757fd4dd27afd9a67b51ea0a69b9dfdbeb697e5d66

SHA512
1df41a3621b7623de85c6a8fea617d4435c15d6ba6a8c86e32ae30b00f343fb6b66b2ef54fd1bea2884013cc1fe2a17a3480d11c399115713497f7dff8980fb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\GAEYssEE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\HqMkEckc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\IcIgsMQg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\NQwwssIU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\NYMYgYYw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\OoIoMMMk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\SaksYMss.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\TUUEgAwE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\UGsAAwQc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\UusAMsAg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\WiAMEIck.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\XAosQggo.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f

Filesize
6KB

MD5
fd99e1a7747f67763a8d32784a9aa3c3

SHA1
94fb50f7cbee9b7c6eb38228508c73fae8ec8474

SHA256
5fc50c87b3f84a7496233d9f21f8a577be40d436ab396ecf798a337300a56dcf

SHA512
14315f7bef33f5de2d37b27bcd73aa427b1a544a7d1ad8e8bc5edc88b27d8b73cdab43a5787ee898ab172e1396993478f35dfe6967150ea7caf16ff9dd75899c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f

Filesize
6KB

MD5
fd99e1a7747f67763a8d32784a9aa3c3

SHA1
94fb50f7cbee9b7c6eb38228508c73fae8ec8474

SHA256
5fc50c87b3f84a7496233d9f21f8a577be40d436ab396ecf798a337300a56dcf

SHA512
14315f7bef33f5de2d37b27bcd73aa427b1a544a7d1ad8e8bc5edc88b27d8b73cdab43a5787ee898ab172e1396993478f35dfe6967150ea7caf16ff9dd75899c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f

Filesize
6KB

MD5
fd99e1a7747f67763a8d32784a9aa3c3

SHA1
94fb50f7cbee9b7c6eb38228508c73fae8ec8474

SHA256
5fc50c87b3f84a7496233d9f21f8a577be40d436ab396ecf798a337300a56dcf

SHA512
14315f7bef33f5de2d37b27bcd73aa427b1a544a7d1ad8e8bc5edc88b27d8b73cdab43a5787ee898ab172e1396993478f35dfe6967150ea7caf16ff9dd75899c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f

Filesize
6KB

MD5
fd99e1a7747f67763a8d32784a9aa3c3

SHA1
94fb50f7cbee9b7c6eb38228508c73fae8ec8474

SHA256
5fc50c87b3f84a7496233d9f21f8a577be40d436ab396ecf798a337300a56dcf

SHA512
14315f7bef33f5de2d37b27bcd73aa427b1a544a7d1ad8e8bc5edc88b27d8b73cdab43a5787ee898ab172e1396993478f35dfe6967150ea7caf16ff9dd75899c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f

Filesize
6KB

MD5
fd99e1a7747f67763a8d32784a9aa3c3

SHA1
94fb50f7cbee9b7c6eb38228508c73fae8ec8474

SHA256
5fc50c87b3f84a7496233d9f21f8a577be40d436ab396ecf798a337300a56dcf

SHA512
14315f7bef33f5de2d37b27bcd73aa427b1a544a7d1ad8e8bc5edc88b27d8b73cdab43a5787ee898ab172e1396993478f35dfe6967150ea7caf16ff9dd75899c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f

Filesize
6KB

MD5
fd99e1a7747f67763a8d32784a9aa3c3

SHA1
94fb50f7cbee9b7c6eb38228508c73fae8ec8474

SHA256
5fc50c87b3f84a7496233d9f21f8a577be40d436ab396ecf798a337300a56dcf

SHA512
14315f7bef33f5de2d37b27bcd73aa427b1a544a7d1ad8e8bc5edc88b27d8b73cdab43a5787ee898ab172e1396993478f35dfe6967150ea7caf16ff9dd75899c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f

Filesize
6KB

MD5
fd99e1a7747f67763a8d32784a9aa3c3

SHA1
94fb50f7cbee9b7c6eb38228508c73fae8ec8474

SHA256
5fc50c87b3f84a7496233d9f21f8a577be40d436ab396ecf798a337300a56dcf

SHA512
14315f7bef33f5de2d37b27bcd73aa427b1a544a7d1ad8e8bc5edc88b27d8b73cdab43a5787ee898ab172e1396993478f35dfe6967150ea7caf16ff9dd75899c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f

Filesize
6KB

MD5
fd99e1a7747f67763a8d32784a9aa3c3

SHA1
94fb50f7cbee9b7c6eb38228508c73fae8ec8474

SHA256
5fc50c87b3f84a7496233d9f21f8a577be40d436ab396ecf798a337300a56dcf

SHA512
14315f7bef33f5de2d37b27bcd73aa427b1a544a7d1ad8e8bc5edc88b27d8b73cdab43a5787ee898ab172e1396993478f35dfe6967150ea7caf16ff9dd75899c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f

Filesize
6KB

MD5
fd99e1a7747f67763a8d32784a9aa3c3

SHA1
94fb50f7cbee9b7c6eb38228508c73fae8ec8474

SHA256
5fc50c87b3f84a7496233d9f21f8a577be40d436ab396ecf798a337300a56dcf

SHA512
14315f7bef33f5de2d37b27bcd73aa427b1a544a7d1ad8e8bc5edc88b27d8b73cdab43a5787ee898ab172e1396993478f35dfe6967150ea7caf16ff9dd75899c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f

Filesize
6KB

MD5
fd99e1a7747f67763a8d32784a9aa3c3

SHA1
94fb50f7cbee9b7c6eb38228508c73fae8ec8474

SHA256
5fc50c87b3f84a7496233d9f21f8a577be40d436ab396ecf798a337300a56dcf

SHA512
14315f7bef33f5de2d37b27bcd73aa427b1a544a7d1ad8e8bc5edc88b27d8b73cdab43a5787ee898ab172e1396993478f35dfe6967150ea7caf16ff9dd75899c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f

Filesize
6KB

MD5
fd99e1a7747f67763a8d32784a9aa3c3

SHA1
94fb50f7cbee9b7c6eb38228508c73fae8ec8474

SHA256
5fc50c87b3f84a7496233d9f21f8a577be40d436ab396ecf798a337300a56dcf

SHA512
14315f7bef33f5de2d37b27bcd73aa427b1a544a7d1ad8e8bc5edc88b27d8b73cdab43a5787ee898ab172e1396993478f35dfe6967150ea7caf16ff9dd75899c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f

Filesize
6KB

MD5
fd99e1a7747f67763a8d32784a9aa3c3

SHA1
94fb50f7cbee9b7c6eb38228508c73fae8ec8474

SHA256
5fc50c87b3f84a7496233d9f21f8a577be40d436ab396ecf798a337300a56dcf

SHA512
14315f7bef33f5de2d37b27bcd73aa427b1a544a7d1ad8e8bc5edc88b27d8b73cdab43a5787ee898ab172e1396993478f35dfe6967150ea7caf16ff9dd75899c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f

Filesize
6KB

MD5
fd99e1a7747f67763a8d32784a9aa3c3

SHA1
94fb50f7cbee9b7c6eb38228508c73fae8ec8474

SHA256
5fc50c87b3f84a7496233d9f21f8a577be40d436ab396ecf798a337300a56dcf

SHA512
14315f7bef33f5de2d37b27bcd73aa427b1a544a7d1ad8e8bc5edc88b27d8b73cdab43a5787ee898ab172e1396993478f35dfe6967150ea7caf16ff9dd75899c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f

Filesize
6KB

MD5
fd99e1a7747f67763a8d32784a9aa3c3

SHA1
94fb50f7cbee9b7c6eb38228508c73fae8ec8474

SHA256
5fc50c87b3f84a7496233d9f21f8a577be40d436ab396ecf798a337300a56dcf

SHA512
14315f7bef33f5de2d37b27bcd73aa427b1a544a7d1ad8e8bc5edc88b27d8b73cdab43a5787ee898ab172e1396993478f35dfe6967150ea7caf16ff9dd75899c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f

Filesize
6KB

MD5
fd99e1a7747f67763a8d32784a9aa3c3

SHA1
94fb50f7cbee9b7c6eb38228508c73fae8ec8474

SHA256
5fc50c87b3f84a7496233d9f21f8a577be40d436ab396ecf798a337300a56dcf

SHA512
14315f7bef33f5de2d37b27bcd73aa427b1a544a7d1ad8e8bc5edc88b27d8b73cdab43a5787ee898ab172e1396993478f35dfe6967150ea7caf16ff9dd75899c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f

Filesize
6KB

MD5
fd99e1a7747f67763a8d32784a9aa3c3

SHA1
94fb50f7cbee9b7c6eb38228508c73fae8ec8474

SHA256
5fc50c87b3f84a7496233d9f21f8a577be40d436ab396ecf798a337300a56dcf

SHA512
14315f7bef33f5de2d37b27bcd73aa427b1a544a7d1ad8e8bc5edc88b27d8b73cdab43a5787ee898ab172e1396993478f35dfe6967150ea7caf16ff9dd75899c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f

Filesize
6KB

MD5
fd99e1a7747f67763a8d32784a9aa3c3

SHA1
94fb50f7cbee9b7c6eb38228508c73fae8ec8474

SHA256
5fc50c87b3f84a7496233d9f21f8a577be40d436ab396ecf798a337300a56dcf

SHA512
14315f7bef33f5de2d37b27bcd73aa427b1a544a7d1ad8e8bc5edc88b27d8b73cdab43a5787ee898ab172e1396993478f35dfe6967150ea7caf16ff9dd75899c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f

Filesize
6KB

MD5
fd99e1a7747f67763a8d32784a9aa3c3

SHA1
94fb50f7cbee9b7c6eb38228508c73fae8ec8474

SHA256
5fc50c87b3f84a7496233d9f21f8a577be40d436ab396ecf798a337300a56dcf

SHA512
14315f7bef33f5de2d37b27bcd73aa427b1a544a7d1ad8e8bc5edc88b27d8b73cdab43a5787ee898ab172e1396993478f35dfe6967150ea7caf16ff9dd75899c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f

Filesize
6KB

MD5
fd99e1a7747f67763a8d32784a9aa3c3

SHA1
94fb50f7cbee9b7c6eb38228508c73fae8ec8474

SHA256
5fc50c87b3f84a7496233d9f21f8a577be40d436ab396ecf798a337300a56dcf

SHA512
14315f7bef33f5de2d37b27bcd73aa427b1a544a7d1ad8e8bc5edc88b27d8b73cdab43a5787ee898ab172e1396993478f35dfe6967150ea7caf16ff9dd75899c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f

Filesize
6KB

MD5
fd99e1a7747f67763a8d32784a9aa3c3

SHA1
94fb50f7cbee9b7c6eb38228508c73fae8ec8474

SHA256
5fc50c87b3f84a7496233d9f21f8a577be40d436ab396ecf798a337300a56dcf

SHA512
14315f7bef33f5de2d37b27bcd73aa427b1a544a7d1ad8e8bc5edc88b27d8b73cdab43a5787ee898ab172e1396993478f35dfe6967150ea7caf16ff9dd75899c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a89ec40785cfb52eef4a4ce778ff0973040d730c643e064b54daa989c2cf593f

Filesize
6KB

MD5
fd99e1a7747f67763a8d32784a9aa3c3

SHA1
94fb50f7cbee9b7c6eb38228508c73fae8ec8474

SHA256
5fc50c87b3f84a7496233d9f21f8a577be40d436ab396ecf798a337300a56dcf

SHA512
14315f7bef33f5de2d37b27bcd73aa427b1a544a7d1ad8e8bc5edc88b27d8b73cdab43a5787ee898ab172e1396993478f35dfe6967150ea7caf16ff9dd75899c

Download Submit
C:\Users\Admin\AppData\Local\Temp\dossooIE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\isUIsgsg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\muMAIAQg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\nuwIAQMg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\tIkIsMYI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\tWMoQAYM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\xAUUkgQY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\yGYQYgIY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\zuIAUEgM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\nIAoUgsw\OCcYkkoM.exe

Filesize
981KB

MD5
490a3dbfae547af372f46914825f886b

SHA1
671d9b500d82867b65010f5202d50784792e4d13

SHA256
d6a38046e8417e16182b9f8800ea030ce8fc32d182098a7ecf7c0158dfef3e87

SHA512
48f574fed26596e5f570f22e5894c4505acc89aaa538e37780a4e0ecc006773b2df7fc8e219753e2b258823f70f7c1339e3566d340079bd059f17645f9479b55

Download Submit
C:\Users\Admin\nIAoUgsw\OCcYkkoM.exe

Filesize
981KB

MD5
490a3dbfae547af372f46914825f886b

SHA1
671d9b500d82867b65010f5202d50784792e4d13

SHA256
d6a38046e8417e16182b9f8800ea030ce8fc32d182098a7ecf7c0158dfef3e87

SHA512
48f574fed26596e5f570f22e5894c4505acc89aaa538e37780a4e0ecc006773b2df7fc8e219753e2b258823f70f7c1339e3566d340079bd059f17645f9479b55

Download Submit
memory/564-291-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/564-289-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/980-314-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/980-316-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/1108-286-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/1108-284-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/1244-302-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/1244-306-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/1516-252-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/1516-258-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/1704-301-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/1704-297-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/1904-277-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/1904-281-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2024-227-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2024-220-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2200-192-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2200-204-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2200-200-0x0000000002260000-0x0000000002265000-memory.dmp

Filesize
20KB

Download
memory/2232-274-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2232-276-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2396-178-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2396-191-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2484-151-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/2484-149-0x00000000049E0000-0x0000000004A06000-memory.dmp

Filesize
152KB

Download
memory/2484-145-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/2492-296-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2492-294-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/3656-154-0x00000000036A0000-0x00000000036C6000-memory.dmp

Filesize
152KB

Download
memory/3656-152-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/3656-146-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/3656-153-0x0000000003690000-0x0000000003695000-memory.dmp

Filesize
20KB

Download
memory/3760-321-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/3760-322-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/3844-323-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/4180-134-0x0000000004B20000-0x0000000004B46000-memory.dmp

Filesize
152KB

Download
memory/4180-133-0x0000000004B10000-0x0000000004B15000-memory.dmp

Filesize
20KB

Download
memory/4180-135-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/4180-132-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/4312-215-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/4312-202-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/4408-169-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/4408-160-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/4532-167-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/4532-176-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/4612-251-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/4612-243-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/4636-147-0x00000000049D0000-0x00000000049D5000-memory.dmp

Filesize
20KB

Download
memory/4636-142-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/4636-148-0x00000000049E0000-0x0000000004A06000-memory.dmp

Filesize
152KB

Download
memory/4636-150-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/4728-271-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/4728-268-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/4728-269-0x00000000022C0000-0x00000000022C5000-memory.dmp

Filesize
20KB

Download
memory/4764-309-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/4764-311-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/4908-259-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/4908-262-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/4912-320-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/4912-319-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/5036-263-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/5036-265-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/5056-241-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/5056-232-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download