26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e

Analysis

max time kernel
155s
max time network
164s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03-10-2022 18:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
Size

992KB
MD5

6dbbbb6f76eab51869cb02498c4b4940
SHA1

3dc036ac7776ce5bbda4ff4ba640b189a13dc83b
SHA256

26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e
SHA512

3a407b2b7e0e52593d066e9b7965708350fedcb298629e04ff0478545b275c056a5c26228ab2b553a7c8167fca1fcc284e8a89ae976593574071d7495f062a63
SSDEEP

24576:zTqw9suaFOuCp51vB8zZUQlzg3aF05zGQlp2V:zTf9sBFAqzZ4s017D2V

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\LYsAwMoQ\\QWIcscYk.exe,"	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\ProgramData\\LYsAwMoQ\\QWIcscYk.exe,"	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe

Modifies visibility of file extensions in Explorer 2 TTPs 34 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 34 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
1976	uIcYIkws.exe
1064	QWIcscYk.exe
952	EekskocU.exe

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File created	C:\Users\Admin\Pictures\MergeUnlock.png.exe	QWIcscYk.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\Geo\Nation	QWIcscYk.exe

Loads dropped DLL 26 IoCs

pid	Process
288	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
288	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
288	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
288	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
1064	QWIcscYk.exe
1064	QWIcscYk.exe
1064	QWIcscYk.exe
1064	QWIcscYk.exe
1064	QWIcscYk.exe
1064	QWIcscYk.exe
1064	QWIcscYk.exe
1064	QWIcscYk.exe
1064	QWIcscYk.exe
1064	QWIcscYk.exe
1064	QWIcscYk.exe
1064	QWIcscYk.exe
1064	QWIcscYk.exe
1064	QWIcscYk.exe
1064	QWIcscYk.exe
1064	QWIcscYk.exe
1064	QWIcscYk.exe
1064	QWIcscYk.exe
1064	QWIcscYk.exe
1064	QWIcscYk.exe
1064	QWIcscYk.exe
1064	QWIcscYk.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\uIcYIkws.exe = "C:\\Users\\Admin\\XEwgoUwo\\uIcYIkws.exe"	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\QWIcscYk.exe = "C:\\ProgramData\\LYsAwMoQ\\QWIcscYk.exe"	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\uIcYIkws.exe = "C:\\Users\\Admin\\XEwgoUwo\\uIcYIkws.exe"	uIcYIkws.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\QWIcscYk.exe = "C:\\ProgramData\\LYsAwMoQ\\QWIcscYk.exe"	QWIcscYk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\QWIcscYk.exe = "C:\\ProgramData\\LYsAwMoQ\\QWIcscYk.exe"	EekskocU.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\XEwgoUwo	EekskocU.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\XEwgoUwo\uIcYIkws	EekskocU.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	QWIcscYk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
572	reg.exe
1332	reg.exe
636	reg.exe
1980	reg.exe
572	reg.exe
1520	reg.exe
2028	reg.exe
1492	reg.exe
1764	reg.exe
1772	reg.exe
1776	reg.exe
1616	reg.exe
1356	reg.exe
976	reg.exe
304	reg.exe
1164	reg.exe
1384	reg.exe
1724	reg.exe
1260	reg.exe
1816	reg.exe
1576	reg.exe
1708	reg.exe
968	reg.exe
2000	reg.exe
1124	reg.exe
1292	reg.exe
1476	reg.exe
2044	reg.exe
1124	reg.exe
1332	reg.exe
764	reg.exe
1496	reg.exe
1776	reg.exe
1372	reg.exe
540	reg.exe
540	reg.exe
1120	reg.exe
964	reg.exe
800	reg.exe
1140	reg.exe
636	reg.exe
1620	reg.exe
592	reg.exe
1088	reg.exe
572	reg.exe
796	reg.exe
1140	reg.exe
1900	reg.exe
1900	reg.exe
1968	reg.exe
688	reg.exe
1792	reg.exe
1828	reg.exe
956	reg.exe
1792	reg.exe
592	reg.exe
1520	reg.exe
560	reg.exe
628	reg.exe
1244	reg.exe
1820	reg.exe
840	reg.exe
860	reg.exe
992	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
288	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
288	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
984	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
984	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
1984	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
1984	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
1640	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
1640	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
1508	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
1508	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
628	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
628	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
1140	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
1140	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
868	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
868	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
1656	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
1656	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
280	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
280	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
1292	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
1292	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
1812	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
1812	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
1000	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
1000	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
1072	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
1072	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
1496	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
1496	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
1712	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
1712	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
1564	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
1564	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
764	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
764	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
1320	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
1320	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
856	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
856	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
1644	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
1644	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
1512	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
1512	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
1900	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
1900	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
540	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
540	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
1420	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
1420	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
1496	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
1496	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
956	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
956	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
1724	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
1724	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
636	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
636	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
544	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
544	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
1420	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
1420	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
2044	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
2044	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe

Suspicious use of FindShellTrayWindow 23 IoCs

pid	Process
1064	QWIcscYk.exe
1064	QWIcscYk.exe
1064	QWIcscYk.exe
1064	QWIcscYk.exe
1064	QWIcscYk.exe
1064	QWIcscYk.exe
1064	QWIcscYk.exe
1064	QWIcscYk.exe
1064	QWIcscYk.exe
1064	QWIcscYk.exe
1064	QWIcscYk.exe
1064	QWIcscYk.exe
1064	QWIcscYk.exe
1064	QWIcscYk.exe
1064	QWIcscYk.exe
1064	QWIcscYk.exe
1064	QWIcscYk.exe
1064	QWIcscYk.exe
1064	QWIcscYk.exe
1064	QWIcscYk.exe
1064	QWIcscYk.exe
1064	QWIcscYk.exe
1064	QWIcscYk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 288 wrote to memory of 1976	288	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	26
PID 288 wrote to memory of 1976	288	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	26
PID 288 wrote to memory of 1976	288	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	26
PID 288 wrote to memory of 1976	288	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	26
PID 288 wrote to memory of 1064	288	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	27
PID 288 wrote to memory of 1064	288	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	27
PID 288 wrote to memory of 1064	288	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	27
PID 288 wrote to memory of 1064	288	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	27
PID 288 wrote to memory of 1520	288	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	29
PID 288 wrote to memory of 1520	288	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	29
PID 288 wrote to memory of 1520	288	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	29
PID 288 wrote to memory of 1520	288	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	29
PID 1520 wrote to memory of 984	1520	cmd.exe	32
PID 1520 wrote to memory of 984	1520	cmd.exe	32
PID 1520 wrote to memory of 984	1520	cmd.exe	32
PID 1520 wrote to memory of 984	1520	cmd.exe	32
PID 984 wrote to memory of 1452	984	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	33
PID 984 wrote to memory of 1452	984	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	33
PID 984 wrote to memory of 1452	984	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	33
PID 984 wrote to memory of 1452	984	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	33
PID 1452 wrote to memory of 1984	1452	cmd.exe	35
PID 1452 wrote to memory of 1984	1452	cmd.exe	35
PID 1452 wrote to memory of 1984	1452	cmd.exe	35
PID 1452 wrote to memory of 1984	1452	cmd.exe	35
PID 984 wrote to memory of 1968	984	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	36
PID 984 wrote to memory of 1968	984	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	36
PID 984 wrote to memory of 1968	984	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	36
PID 984 wrote to memory of 1968	984	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	36
PID 288 wrote to memory of 1772	288	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	31
PID 288 wrote to memory of 1772	288	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	31
PID 288 wrote to memory of 1772	288	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	31
PID 288 wrote to memory of 1772	288	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	31
PID 984 wrote to memory of 840	984	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	38
PID 984 wrote to memory of 840	984	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	38
PID 984 wrote to memory of 840	984	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	38
PID 984 wrote to memory of 840	984	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	38
PID 288 wrote to memory of 560	288	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	37
PID 288 wrote to memory of 560	288	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	37
PID 288 wrote to memory of 560	288	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	37
PID 288 wrote to memory of 560	288	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	37
PID 288 wrote to memory of 976	288	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	44
PID 288 wrote to memory of 976	288	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	44
PID 288 wrote to memory of 976	288	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	44
PID 288 wrote to memory of 976	288	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	44
PID 984 wrote to memory of 1776	984	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	43
PID 984 wrote to memory of 1776	984	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	43
PID 984 wrote to memory of 1776	984	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	43
PID 984 wrote to memory of 1776	984	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	43
PID 1984 wrote to memory of 1812	1984	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	47
PID 1984 wrote to memory of 1812	1984	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	47
PID 1984 wrote to memory of 1812	1984	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	47
PID 1984 wrote to memory of 1812	1984	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	47
PID 1812 wrote to memory of 1640	1812	cmd.exe	49
PID 1812 wrote to memory of 1640	1812	cmd.exe	49
PID 1812 wrote to memory of 1640	1812	cmd.exe	49
PID 1812 wrote to memory of 1640	1812	cmd.exe	49
PID 1984 wrote to memory of 1384	1984	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	50
PID 1984 wrote to memory of 1384	1984	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	50
PID 1984 wrote to memory of 1384	1984	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	50
PID 1984 wrote to memory of 1384	1984	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	50
PID 1984 wrote to memory of 860	1984	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	51
PID 1984 wrote to memory of 860	1984	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	51
PID 1984 wrote to memory of 860	1984	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	51
PID 1984 wrote to memory of 860	1984	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	51

C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
"C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:288
- C:\Users\Admin\XEwgoUwo\uIcYIkws.exe
  "C:\Users\Admin\XEwgoUwo\uIcYIkws.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1976
- C:\ProgramData\LYsAwMoQ\QWIcscYk.exe
  "C:\ProgramData\LYsAwMoQ\QWIcscYk.exe"
  2⤵
  - Executes dropped EXE
  - Modifies extensions of user files
  - Checks computer location settings
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of FindShellTrayWindow
  PID:1064
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1520
- - C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
    C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:984
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1452
    - - C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1984
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e"
        8⤵
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e"
        10⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e"
        12⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e"
        14⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e"
        16⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e"
        18⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:280
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e"
        20⤵
        
        PID:796
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e"
        22⤵
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e"
        24⤵
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e"
        26⤵
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1072
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e"
        28⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e"
        30⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e"
        32⤵
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e
        33⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e"
        34⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e
        35⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e"
        36⤵
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e
        37⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1320
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e"
        38⤵
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e
        39⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e"
        40⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e
        41⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e"
        42⤵
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e
        43⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e"
        44⤵
        
        PID:1292
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e
        45⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e"
        46⤵
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e
        47⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e"
        48⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e
        49⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e"
        50⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e
        51⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e"
        52⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e
        53⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e"
        54⤵
        
        PID:704
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e
        55⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e"
        56⤵
        
        PID:584
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e
        57⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e"
        58⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e
        59⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e"
        60⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e
        61⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e"
        62⤵
        
        PID:1384
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e
        63⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e"
        64⤵
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e
        65⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e"
        66⤵
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e
        67⤵
        
        PID:400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        Modifies registry key
        
        PID:992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        Modifies registry key
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aiAIgoMQ.bat" "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe""
        66⤵
        
        PID:592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        Modifies registry key
        
        PID:1124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        Modifies registry key
        
        PID:572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WKwYAYkk.bat" "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe""
        64⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\fCUoQEAw.bat" "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe""
        62⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        Modifies registry key
        
        PID:860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        Modifies registry key
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EYcoswkY.bat" "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe""
        60⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aygYIUkM.bat" "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe""
        58⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        Modifies registry key
        
        PID:1492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        Modifies registry key
        
        PID:840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NGEMAIYo.bat" "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe""
        56⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        Modifies registry key
        
        PID:1900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        Modifies registry key
        
        PID:1496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1384
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CqkAIMAw.bat" "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe""
        54⤵
        
        PID:844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:1500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        Modifies registry key
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        Modifies registry key
        
        PID:1820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\uwQoUMYE.bat" "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe""
        52⤵
        
        PID:928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jUQYoEoc.bat" "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe""
        50⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:1640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        Modifies registry key
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\OckMgwUg.bat" "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe""
        48⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:1600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        Modifies registry key
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zUQYEEck.bat" "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe""
        46⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        Modifies registry key
        
        PID:764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        Modifies registry key
        
        PID:592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jUwsoYoU.bat" "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe""
        44⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\legcgQEE.bat" "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe""
        42⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        Modifies registry key
        
        PID:800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        Modifies registry key
        
        PID:1792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        Modifies registry key
        
        PID:304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kecUMAsY.bat" "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe""
        40⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        Modifies registry key
        
        PID:976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        Modifies registry key
        
        PID:968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EkQoYYgU.bat" "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe""
        38⤵
        
        PID:584
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        Modifies registry key
        
        PID:1356
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nIoQAggk.bat" "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe""
        36⤵
        
        PID:108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        Modifies registry key
        
        PID:1708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CaMEgMUM.bat" "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe""
        34⤵
        
        PID:288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        Modifies registry key
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1120
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BAEgcEsY.bat" "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe""
        32⤵
        
        PID:544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        Modifies registry key
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\akcEAQQg.bat" "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe""
        30⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        Modifies registry key
        
        PID:1124
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WWAMYggM.bat" "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe""
        28⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:1964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ViAIMwAM.bat" "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe""
        26⤵
        
        PID:268
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        Modifies registry key
        
        PID:688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        Modifies registry key
        
        PID:636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        Modifies registry key
        
        PID:956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BqQUwkwA.bat" "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe""
        24⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        Modifies registry key
        
        PID:1260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        Modifies registry key
        
        PID:1828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FEUgMkwA.bat" "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe""
        22⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        Modifies registry key
        
        PID:1776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RqYcAgMk.bat" "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe""
        20⤵
        
        PID:832
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:1620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YYgkkosw.bat" "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe""
        18⤵
        
        PID:840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        Modifies registry key
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bgQQcAcs.bat" "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe""
        16⤵
        
        PID:572
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        Modifies registry key
        
        PID:1372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\caIkggwQ.bat" "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe""
        14⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        Modifies registry key
        
        PID:1620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aMkYckUE.bat" "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe""
        12⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        Modifies registry key
        
        PID:1292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        Modifies registry key
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HAsUQQIM.bat" "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe""
        10⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        Modifies registry key
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\xsoAwEwc.bat" "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe""
        8⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:840
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1384
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:860
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        Modifies registry key
        
        PID:628
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jucYgooU.bat" "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe""
        6⤵
        
        PID:544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:796
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies registry key
      PID:1968
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:840
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:1776
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\jgkMAsMU.bat" "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe""
      4⤵
      PID:776
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:280
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:1772
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:560
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:976
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\lmAYEwgM.bat" "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe""
  2⤵
  PID:1596
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2000

C:\ProgramData\lcUMUoEM\EekskocU.exe
C:\ProgramData\lcUMUoEM\EekskocU.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\LYsAwMoQ\QWIcscYk.exe

Filesize
983KB

MD5
460614a9e453f7a385c1d4e1e61164c8

SHA1
8c5f51ea5722ad9ef1a997141688b7ccf2378d45

SHA256
34a3716fafa079dd0a9cbeea07ca0866c2ce60b91eba7c0bcf89460da38b914f

SHA512
e7c9f9a39727cec33e26ecc3b1a7d073fddf63cdfbe4defebd8688c73c8bb278c12deb83a29cbcdc3b0dd15b66db261c66e26fde4596f11879b4e3b6ef89bf6b

Download Submit
C:\ProgramData\LYsAwMoQ\QWIcscYk.exe

Filesize
983KB

MD5
460614a9e453f7a385c1d4e1e61164c8

SHA1
8c5f51ea5722ad9ef1a997141688b7ccf2378d45

SHA256
34a3716fafa079dd0a9cbeea07ca0866c2ce60b91eba7c0bcf89460da38b914f

SHA512
e7c9f9a39727cec33e26ecc3b1a7d073fddf63cdfbe4defebd8688c73c8bb278c12deb83a29cbcdc3b0dd15b66db261c66e26fde4596f11879b4e3b6ef89bf6b

Download Submit
C:\ProgramData\lcUMUoEM\EekskocU.exe

Filesize
983KB

MD5
088789d82ef1acfef90298a8f2dab894

SHA1
cd133fcf1a78dd44663f79373f6a837d742dd9f8

SHA256
83dd2e2a5708e64940a3ac72bf1303c25f489205195a947cb5dffc5069107de0

SHA512
ada03c4bc7773675e7069c1ab08b0fd605289e13725f8198649b0d1e662c5cf6a617c7abf88fa3e792d2afc8f2a21d9cc2d77cd2269b2a833264cd043763b93f

Download Submit
C:\ProgramData\lcUMUoEM\EekskocU.exe

Filesize
983KB

MD5
088789d82ef1acfef90298a8f2dab894

SHA1
cd133fcf1a78dd44663f79373f6a837d742dd9f8

SHA256
83dd2e2a5708e64940a3ac72bf1303c25f489205195a947cb5dffc5069107de0

SHA512
ada03c4bc7773675e7069c1ab08b0fd605289e13725f8198649b0d1e662c5cf6a617c7abf88fa3e792d2afc8f2a21d9cc2d77cd2269b2a833264cd043763b93f

Download Submit
C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e

Filesize
6KB

MD5
59513752b20c9e3510db31c99dfc5c60

SHA1
cbfd0cd3f52fee958f730d8d31b2372370bf26f3

SHA256
4cb21f95bccd80bca6baa955d8f9dcc1837e5a561d1585c9aaecdd7d377db8ab

SHA512
08479b2361a3b3d6a80d47260442718a7ce0f72547471b2b674aefa3dbeed7fa012df9c37efae73d729cf973f579672ca996a48552359ecc1fb2b4b32eeeb560

Download Submit
C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e

Filesize
6KB

MD5
59513752b20c9e3510db31c99dfc5c60

SHA1
cbfd0cd3f52fee958f730d8d31b2372370bf26f3

SHA256
4cb21f95bccd80bca6baa955d8f9dcc1837e5a561d1585c9aaecdd7d377db8ab

SHA512
08479b2361a3b3d6a80d47260442718a7ce0f72547471b2b674aefa3dbeed7fa012df9c37efae73d729cf973f579672ca996a48552359ecc1fb2b4b32eeeb560

Download Submit
C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e

Filesize
6KB

MD5
59513752b20c9e3510db31c99dfc5c60

SHA1
cbfd0cd3f52fee958f730d8d31b2372370bf26f3

SHA256
4cb21f95bccd80bca6baa955d8f9dcc1837e5a561d1585c9aaecdd7d377db8ab

SHA512
08479b2361a3b3d6a80d47260442718a7ce0f72547471b2b674aefa3dbeed7fa012df9c37efae73d729cf973f579672ca996a48552359ecc1fb2b4b32eeeb560

Download Submit
C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e

Filesize
6KB

MD5
59513752b20c9e3510db31c99dfc5c60

SHA1
cbfd0cd3f52fee958f730d8d31b2372370bf26f3

SHA256
4cb21f95bccd80bca6baa955d8f9dcc1837e5a561d1585c9aaecdd7d377db8ab

SHA512
08479b2361a3b3d6a80d47260442718a7ce0f72547471b2b674aefa3dbeed7fa012df9c37efae73d729cf973f579672ca996a48552359ecc1fb2b4b32eeeb560

Download Submit
C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e

Filesize
6KB

MD5
59513752b20c9e3510db31c99dfc5c60

SHA1
cbfd0cd3f52fee958f730d8d31b2372370bf26f3

SHA256
4cb21f95bccd80bca6baa955d8f9dcc1837e5a561d1585c9aaecdd7d377db8ab

SHA512
08479b2361a3b3d6a80d47260442718a7ce0f72547471b2b674aefa3dbeed7fa012df9c37efae73d729cf973f579672ca996a48552359ecc1fb2b4b32eeeb560

Download Submit
C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e

Filesize
6KB

MD5
59513752b20c9e3510db31c99dfc5c60

SHA1
cbfd0cd3f52fee958f730d8d31b2372370bf26f3

SHA256
4cb21f95bccd80bca6baa955d8f9dcc1837e5a561d1585c9aaecdd7d377db8ab

SHA512
08479b2361a3b3d6a80d47260442718a7ce0f72547471b2b674aefa3dbeed7fa012df9c37efae73d729cf973f579672ca996a48552359ecc1fb2b4b32eeeb560

Download Submit
C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e

Filesize
6KB

MD5
59513752b20c9e3510db31c99dfc5c60

SHA1
cbfd0cd3f52fee958f730d8d31b2372370bf26f3

SHA256
4cb21f95bccd80bca6baa955d8f9dcc1837e5a561d1585c9aaecdd7d377db8ab

SHA512
08479b2361a3b3d6a80d47260442718a7ce0f72547471b2b674aefa3dbeed7fa012df9c37efae73d729cf973f579672ca996a48552359ecc1fb2b4b32eeeb560

Download Submit
C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e

Filesize
6KB

MD5
59513752b20c9e3510db31c99dfc5c60

SHA1
cbfd0cd3f52fee958f730d8d31b2372370bf26f3

SHA256
4cb21f95bccd80bca6baa955d8f9dcc1837e5a561d1585c9aaecdd7d377db8ab

SHA512
08479b2361a3b3d6a80d47260442718a7ce0f72547471b2b674aefa3dbeed7fa012df9c37efae73d729cf973f579672ca996a48552359ecc1fb2b4b32eeeb560

Download Submit
C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e

Filesize
6KB

MD5
59513752b20c9e3510db31c99dfc5c60

SHA1
cbfd0cd3f52fee958f730d8d31b2372370bf26f3

SHA256
4cb21f95bccd80bca6baa955d8f9dcc1837e5a561d1585c9aaecdd7d377db8ab

SHA512
08479b2361a3b3d6a80d47260442718a7ce0f72547471b2b674aefa3dbeed7fa012df9c37efae73d729cf973f579672ca996a48552359ecc1fb2b4b32eeeb560

Download Submit
C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e

Filesize
6KB

MD5
59513752b20c9e3510db31c99dfc5c60

SHA1
cbfd0cd3f52fee958f730d8d31b2372370bf26f3

SHA256
4cb21f95bccd80bca6baa955d8f9dcc1837e5a561d1585c9aaecdd7d377db8ab

SHA512
08479b2361a3b3d6a80d47260442718a7ce0f72547471b2b674aefa3dbeed7fa012df9c37efae73d729cf973f579672ca996a48552359ecc1fb2b4b32eeeb560

Download Submit
C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e

Filesize
6KB

MD5
59513752b20c9e3510db31c99dfc5c60

SHA1
cbfd0cd3f52fee958f730d8d31b2372370bf26f3

SHA256
4cb21f95bccd80bca6baa955d8f9dcc1837e5a561d1585c9aaecdd7d377db8ab

SHA512
08479b2361a3b3d6a80d47260442718a7ce0f72547471b2b674aefa3dbeed7fa012df9c37efae73d729cf973f579672ca996a48552359ecc1fb2b4b32eeeb560

Download Submit
C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e

Filesize
6KB

MD5
59513752b20c9e3510db31c99dfc5c60

SHA1
cbfd0cd3f52fee958f730d8d31b2372370bf26f3

SHA256
4cb21f95bccd80bca6baa955d8f9dcc1837e5a561d1585c9aaecdd7d377db8ab

SHA512
08479b2361a3b3d6a80d47260442718a7ce0f72547471b2b674aefa3dbeed7fa012df9c37efae73d729cf973f579672ca996a48552359ecc1fb2b4b32eeeb560

Download Submit
C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e

Filesize
6KB

MD5
59513752b20c9e3510db31c99dfc5c60

SHA1
cbfd0cd3f52fee958f730d8d31b2372370bf26f3

SHA256
4cb21f95bccd80bca6baa955d8f9dcc1837e5a561d1585c9aaecdd7d377db8ab

SHA512
08479b2361a3b3d6a80d47260442718a7ce0f72547471b2b674aefa3dbeed7fa012df9c37efae73d729cf973f579672ca996a48552359ecc1fb2b4b32eeeb560

Download Submit
C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e

Filesize
6KB

MD5
59513752b20c9e3510db31c99dfc5c60

SHA1
cbfd0cd3f52fee958f730d8d31b2372370bf26f3

SHA256
4cb21f95bccd80bca6baa955d8f9dcc1837e5a561d1585c9aaecdd7d377db8ab

SHA512
08479b2361a3b3d6a80d47260442718a7ce0f72547471b2b674aefa3dbeed7fa012df9c37efae73d729cf973f579672ca996a48552359ecc1fb2b4b32eeeb560

Download Submit
C:\Users\Admin\AppData\Local\Temp\BqQUwkwA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEUgMkwA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\HAsUQQIM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\RqYcAgMk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ViAIMwAM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\WWAMYggM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\YYgkkosw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMkYckUE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\caIkggwQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\jgkMAsMU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\jucYgooU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\lmAYEwgM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\xsoAwEwc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\XEwgoUwo\uIcYIkws.exe

Filesize
981KB

MD5
a2ba001fb131bf8822d49a5e19b95da7

SHA1
8fe9625343b762ec1b88f72dc11d5ea34b35490d

SHA256
45fe820cade7d41c5a51c1f20776c115ccab45e35f4fc8b0800251862911cb7d

SHA512
9e1d24ceace91a1e64472e83f4298441d96c8f83dfce60f8fd16d2484e6cb7590e1ef9f839e1398e4ee2be5164b8fd2234bccd9f8c9b6ec74616c6cf0ef55c74

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.0MB

MD5
4d92f518527353c0db88a70fddcfd390

SHA1
c4baffc19e7d1f0e0ebf73bab86a491c1d152f98

SHA256
97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c

SHA512
05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.0MB

MD5
4d92f518527353c0db88a70fddcfd390

SHA1
c4baffc19e7d1f0e0ebf73bab86a491c1d152f98

SHA256
97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c

SHA512
05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

Download Submit
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
818KB

MD5
a41e524f8d45f0074fd07805ff0c9b12

SHA1
948deacf95a60c3fdf17e0e4db1931a6f3fc5d38

SHA256
082329648337e5ba7377fed9d8a178809f37eecb8d795b93cca4ec07d8640ff7

SHA512
91bf4be7e82536a85a840dbc9f3ce7b7927d1cedf6391aac93989abae210620433e685b86a12d133a72369a4f8a665c46ac7fc9e8a806e2872d8b1514cbb305f

Download Submit
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
818KB

MD5
a41e524f8d45f0074fd07805ff0c9b12

SHA1
948deacf95a60c3fdf17e0e4db1931a6f3fc5d38

SHA256
082329648337e5ba7377fed9d8a178809f37eecb8d795b93cca4ec07d8640ff7

SHA512
91bf4be7e82536a85a840dbc9f3ce7b7927d1cedf6391aac93989abae210620433e685b86a12d133a72369a4f8a665c46ac7fc9e8a806e2872d8b1514cbb305f

Download Submit
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
507KB

MD5
c87e561258f2f8650cef999bf643a731

SHA1
2c64b901284908e8ed59cf9c912f17d45b05e0af

SHA256
a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b

SHA512
dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

Download Submit
\ProgramData\LYsAwMoQ\QWIcscYk.exe

Filesize
983KB

MD5
460614a9e453f7a385c1d4e1e61164c8

SHA1
8c5f51ea5722ad9ef1a997141688b7ccf2378d45

SHA256
34a3716fafa079dd0a9cbeea07ca0866c2ce60b91eba7c0bcf89460da38b914f

SHA512
e7c9f9a39727cec33e26ecc3b1a7d073fddf63cdfbe4defebd8688c73c8bb278c12deb83a29cbcdc3b0dd15b66db261c66e26fde4596f11879b4e3b6ef89bf6b

Download Submit
\ProgramData\LYsAwMoQ\QWIcscYk.exe

Filesize
983KB

MD5
460614a9e453f7a385c1d4e1e61164c8

SHA1
8c5f51ea5722ad9ef1a997141688b7ccf2378d45

SHA256
34a3716fafa079dd0a9cbeea07ca0866c2ce60b91eba7c0bcf89460da38b914f

SHA512
e7c9f9a39727cec33e26ecc3b1a7d073fddf63cdfbe4defebd8688c73c8bb278c12deb83a29cbcdc3b0dd15b66db261c66e26fde4596f11879b4e3b6ef89bf6b

Download Submit
\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

Filesize
445KB

MD5
1191ba2a9908ee79c0220221233e850a

SHA1
f2acd26b864b38821ba3637f8f701b8ba19c434f

SHA256
4670e1ecb4b136d81148401cd71737ccf1376c772fa513a3e176b8ce8b8f982d

SHA512
da61b9baa2f2aedc5ecb1d664368afffe080f76e5d167494cea9f8e72a03a8c2484c24a36d4042a6fd8602ab1adc946546a83fc6a4968dfaa8955e3e3a4c2e50

Download Submit
\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

Filesize
445KB

MD5
1191ba2a9908ee79c0220221233e850a

SHA1
f2acd26b864b38821ba3637f8f701b8ba19c434f

SHA256
4670e1ecb4b136d81148401cd71737ccf1376c772fa513a3e176b8ce8b8f982d

SHA512
da61b9baa2f2aedc5ecb1d664368afffe080f76e5d167494cea9f8e72a03a8c2484c24a36d4042a6fd8602ab1adc946546a83fc6a4968dfaa8955e3e3a4c2e50

Download Submit
\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

Filesize
633KB

MD5
a9993e4a107abf84e456b796c65a9899

SHA1
5852b1acacd33118bce4c46348ee6c5aa7ad12eb

SHA256
dfa88ba4491ac48f49c1b80011eddfd650cc14de43f5a4d3218fb79acb2f2dbc

SHA512
d75c44a1a1264c878a9db71993f5e923dc18935aa925b23b147d18807605e6fe8048af92b0efe43934252d688f8b0279363b1418293664a668a491d901aef1d9

Download Submit
\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

Filesize
633KB

MD5
a9993e4a107abf84e456b796c65a9899

SHA1
5852b1acacd33118bce4c46348ee6c5aa7ad12eb

SHA256
dfa88ba4491ac48f49c1b80011eddfd650cc14de43f5a4d3218fb79acb2f2dbc

SHA512
d75c44a1a1264c878a9db71993f5e923dc18935aa925b23b147d18807605e6fe8048af92b0efe43934252d688f8b0279363b1418293664a668a491d901aef1d9

Download Submit
\Users\Admin\XEwgoUwo\uIcYIkws.exe

Filesize
981KB

MD5
a2ba001fb131bf8822d49a5e19b95da7

SHA1
8fe9625343b762ec1b88f72dc11d5ea34b35490d

SHA256
45fe820cade7d41c5a51c1f20776c115ccab45e35f4fc8b0800251862911cb7d

SHA512
9e1d24ceace91a1e64472e83f4298441d96c8f83dfce60f8fd16d2484e6cb7590e1ef9f839e1398e4ee2be5164b8fd2234bccd9f8c9b6ec74616c6cf0ef55c74

Download Submit
\Users\Admin\XEwgoUwo\uIcYIkws.exe

Filesize
981KB

MD5
a2ba001fb131bf8822d49a5e19b95da7

SHA1
8fe9625343b762ec1b88f72dc11d5ea34b35490d

SHA256
45fe820cade7d41c5a51c1f20776c115ccab45e35f4fc8b0800251862911cb7d

SHA512
9e1d24ceace91a1e64472e83f4298441d96c8f83dfce60f8fd16d2484e6cb7590e1ef9f839e1398e4ee2be5164b8fd2234bccd9f8c9b6ec74616c6cf0ef55c74

Download Submit
memory/280-200-0x0000000000000000-mapping.dmp

Download
memory/280-221-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/280-209-0x00000000006B0000-0x00000000006D6000-memory.dmp

Filesize
152KB

Download
memory/280-207-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/280-208-0x00000000006A0000-0x00000000006A5000-memory.dmp

Filesize
20KB

Download
memory/288-57-0x00000000047B0000-0x00000000047D6000-memory.dmp

Filesize
152KB

Download
memory/288-58-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/288-55-0x0000000075351000-0x0000000075353000-memory.dmp

Filesize
8KB

Download
memory/288-115-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/288-54-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/288-56-0x00000000047A0000-0x00000000047A5000-memory.dmp

Filesize
20KB

Download
memory/304-159-0x0000000000000000-mapping.dmp

Download
memory/308-158-0x0000000000000000-mapping.dmp

Download
memory/540-204-0x0000000000000000-mapping.dmp

Download
memory/544-113-0x0000000000000000-mapping.dmp

Download
memory/560-98-0x0000000000000000-mapping.dmp

Download
memory/572-195-0x0000000000000000-mapping.dmp

Download
memory/584-182-0x0000000000000000-mapping.dmp

Download
memory/592-205-0x0000000000000000-mapping.dmp

Download
memory/628-141-0x0000000000000000-mapping.dmp

Download
memory/628-143-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/628-111-0x0000000000000000-mapping.dmp

Download
memory/628-163-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/636-144-0x0000000000000000-mapping.dmp

Download
memory/796-212-0x0000000000000000-mapping.dmp

Download
memory/796-134-0x0000000000000000-mapping.dmp

Download
memory/840-210-0x0000000000000000-mapping.dmp

Download
memory/840-97-0x0000000000000000-mapping.dmp

Download
memory/840-135-0x0000000000000000-mapping.dmp

Download
memory/860-109-0x0000000000000000-mapping.dmp

Download
memory/860-178-0x0000000000000000-mapping.dmp

Download
memory/868-171-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/868-196-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/868-169-0x0000000000000000-mapping.dmp

Download
memory/912-193-0x0000000000000000-mapping.dmp

Download
memory/952-152-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/952-79-0x0000000003470000-0x0000000003496000-memory.dmp

Filesize
152KB

Download
memory/952-78-0x0000000003460000-0x0000000003465000-memory.dmp

Filesize
20KB

Download
memory/952-73-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/976-217-0x0000000000000000-mapping.dmp

Download
memory/976-102-0x0000000000000000-mapping.dmp

Download
memory/984-85-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/984-237-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/984-175-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/984-83-0x0000000000000000-mapping.dmp

Download
memory/1000-245-0x0000000000650000-0x0000000000655000-memory.dmp

Filesize
20KB

Download
memory/1000-246-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/1000-249-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/1064-72-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/1064-74-0x00000000047B0000-0x00000000047D6000-memory.dmp

Filesize
152KB

Download
memory/1064-151-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/1064-66-0x0000000000000000-mapping.dmp

Download
memory/1072-256-0x00000000047E0000-0x0000000004806000-memory.dmp

Filesize
152KB

Download
memory/1072-250-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/1072-259-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/1084-129-0x0000000000000000-mapping.dmp

Download
memory/1140-179-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/1140-156-0x0000000000000000-mapping.dmp

Download
memory/1140-128-0x0000000000000000-mapping.dmp

Download
memory/1140-166-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/1176-140-0x0000000000000000-mapping.dmp

Download
memory/1244-190-0x0000000000000000-mapping.dmp

Download
memory/1292-215-0x0000000000000000-mapping.dmp

Download
memory/1292-165-0x0000000000000000-mapping.dmp

Download
memory/1292-231-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/1292-145-0x0000000000000000-mapping.dmp

Download
memory/1292-220-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/1292-229-0x00000000005D0000-0x00000000005F6000-memory.dmp

Filesize
152KB

Download
memory/1292-228-0x00000000005A0000-0x00000000005A5000-memory.dmp

Filesize
20KB

Download
memory/1332-148-0x0000000000000000-mapping.dmp

Download
memory/1372-173-0x0000000000000000-mapping.dmp

Download
memory/1384-108-0x0000000000000000-mapping.dmp

Download
memory/1452-92-0x0000000000000000-mapping.dmp

Download
memory/1476-146-0x0000000000000000-mapping.dmp

Download
memory/1492-177-0x0000000000000000-mapping.dmp

Download
memory/1496-264-0x0000000000680000-0x00000000006A6000-memory.dmp

Filesize
152KB

Download
memory/1496-263-0x0000000000670000-0x0000000000675000-memory.dmp

Filesize
20KB

Download
memory/1496-257-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/1496-272-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/1504-126-0x0000000000000000-mapping.dmp

Download
memory/1508-137-0x0000000000770000-0x0000000000775000-memory.dmp

Filesize
20KB

Download
memory/1508-123-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/1508-172-0x0000000000000000-mapping.dmp

Download
memory/1508-138-0x0000000000780000-0x00000000007A6000-memory.dmp

Filesize
152KB

Download
memory/1508-149-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/1508-121-0x0000000000000000-mapping.dmp

Download
memory/1520-81-0x0000000000000000-mapping.dmp

Download
memory/1564-275-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/1596-112-0x0000000000000000-mapping.dmp

Download
memory/1620-206-0x0000000000000000-mapping.dmp

Download
memory/1620-160-0x0000000000000000-mapping.dmp

Download
memory/1640-124-0x0000000000640000-0x0000000000645000-memory.dmp

Filesize
20KB

Download
memory/1640-106-0x0000000000000000-mapping.dmp

Download
memory/1640-130-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/1640-110-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/1640-125-0x0000000000660000-0x0000000000686000-memory.dmp

Filesize
152KB

Download
memory/1648-154-0x0000000000000000-mapping.dmp

Download
memory/1648-127-0x0000000000000000-mapping.dmp

Download
memory/1656-191-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/1656-181-0x0000000000000000-mapping.dmp

Download
memory/1656-213-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/1656-201-0x0000000000560000-0x0000000000565000-memory.dmp

Filesize
20KB

Download
memory/1656-203-0x0000000000570000-0x0000000000596000-memory.dmp

Filesize
152KB

Download
memory/1676-174-0x0000000000000000-mapping.dmp

Download
memory/1712-276-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/1712-269-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/1724-192-0x0000000000000000-mapping.dmp

Download
memory/1756-199-0x0000000000000000-mapping.dmp

Download
memory/1772-96-0x0000000000000000-mapping.dmp

Download
memory/1776-103-0x0000000000000000-mapping.dmp

Download
memory/1812-105-0x0000000000000000-mapping.dmp

Download
memory/1812-241-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/1812-227-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/1872-168-0x0000000000000000-mapping.dmp

Download
memory/1908-120-0x0000000000000000-mapping.dmp

Download
memory/1968-95-0x0000000000000000-mapping.dmp

Download
memory/1976-76-0x00000000047C0000-0x00000000047E6000-memory.dmp

Filesize
152KB

Download
memory/1976-136-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/1976-61-0x0000000000000000-mapping.dmp

Download
memory/1976-68-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/1976-75-0x00000000008D0000-0x00000000008D5000-memory.dmp

Filesize
20KB

Download
memory/1984-100-0x0000000000900000-0x0000000000905000-memory.dmp

Filesize
20KB

Download
memory/1984-101-0x00000000047D0000-0x00000000047F6000-memory.dmp

Filesize
152KB

Download
memory/1984-114-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/1984-93-0x0000000000000000-mapping.dmp

Download
memory/1984-99-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/1988-162-0x0000000000000000-mapping.dmp

Download
memory/2000-133-0x0000000000000000-mapping.dmp

Download
memory/2016-161-0x0000000000000000-mapping.dmp

Download