26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e

Analysis

max time kernel
160s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2022, 18:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
Size

992KB
MD5

6dbbbb6f76eab51869cb02498c4b4940
SHA1

3dc036ac7776ce5bbda4ff4ba640b189a13dc83b
SHA256

26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e
SHA512

3a407b2b7e0e52593d066e9b7965708350fedcb298629e04ff0478545b275c056a5c26228ab2b553a7c8167fca1fcc284e8a89ae976593574071d7495f062a63
SSDEEP

24576:zTqw9suaFOuCp51vB8zZUQlzg3aF05zGQlp2V:zTf9sBFAqzZ4s017D2V

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\sGYMwMYw\\BGgYcYEw.exe,"	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\sGYMwMYw\\BGgYcYEw.exe,"	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\sGYMwMYw\\BGgYcYEw.exe,C:\\ProgramData\\diIsEgMY\\BKkkgMUY.exe,"	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\sGYMwMYw\\BGgYcYEw.exe,C:\\ProgramData\\diIsEgMY\\BKkkgMUY.exe,"	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe

Modifies visibility of file extensions in Explorer 2 TTPs 28 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 28 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
1448	ocUUkoAQ.exe
4412	BGgYcYEw.exe
4696	pQooMMAk.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	ocUUkoAQ.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BGgYcYEw.exe = "C:\\ProgramData\\sGYMwMYw\\BGgYcYEw.exe"	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ocUUkoAQ.exe = "C:\\Users\\Admin\\HCEoIcgI\\ocUUkoAQ.exe"	ocUUkoAQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BGgYcYEw.exe = "C:\\ProgramData\\sGYMwMYw\\BGgYcYEw.exe"	BGgYcYEw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BGgYcYEw.exe = "C:\\ProgramData\\sGYMwMYw\\BGgYcYEw.exe"	pQooMMAk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OWcEgAUk.exe = "C:\\Users\\Admin\\fksIMMsw\\OWcEgAUk.exe"	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BKkkgMUY.exe = "C:\\ProgramData\\diIsEgMY\\BKkkgMUY.exe"	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ocUUkoAQ.exe = "C:\\Users\\Admin\\HCEoIcgI\\ocUUkoAQ.exe"	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\HCEoIcgI	pQooMMAk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\HCEoIcgI\ocUUkoAQ	pQooMMAk.exe
File created	C:\Windows\SysWOW64\shell32.dll.exe	ocUUkoAQ.exe
File opened for modification	C:\Windows\SysWOW64\sheCopySet.wma	ocUUkoAQ.exe
File opened for modification	C:\Windows\SysWOW64\sheEditUnblock.mpg	ocUUkoAQ.exe
File opened for modification	C:\Windows\SysWOW64\sheInstallClose.zip	ocUUkoAQ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
2772	5080	WerFault.exe	407
2324	4048	WerFault.exe	406
3300	3748	WerFault.exe	408

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
1452	reg.exe
3980	reg.exe
1260	reg.exe
4032	reg.exe
3528	reg.exe
4628	reg.exe
1992	reg.exe
3836	reg.exe
4724	reg.exe
1744	reg.exe
1104	reg.exe
4084	reg.exe
3296	reg.exe
2180	reg.exe
4860	reg.exe
1332	reg.exe
2384	reg.exe
3176	reg.exe
2088	reg.exe
3812	reg.exe
4380	reg.exe
3756	reg.exe
3624	reg.exe
2636	reg.exe
2508	reg.exe
1396	reg.exe
4996	reg.exe
4244	reg.exe
3484	reg.exe
3556	reg.exe
2240	reg.exe
1404	reg.exe
2180	reg.exe
1692	reg.exe
3948	reg.exe
1692	reg.exe
532	reg.exe
2184	reg.exe
3312	reg.exe
4564	reg.exe
3168	reg.exe
1916	reg.exe
756	reg.exe
4080	reg.exe
3088	reg.exe
4300	reg.exe
1376	reg.exe
3792	reg.exe
2732	reg.exe
4252	reg.exe
312	reg.exe
3860	reg.exe
208	reg.exe
3148	reg.exe
2284	reg.exe
1396	reg.exe
5076	reg.exe
4008	reg.exe
4820	reg.exe
1408	reg.exe
2452	reg.exe
2228	reg.exe
5084	reg.exe
1004	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1696	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
1696	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
1696	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
1696	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
1660	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
1660	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
1660	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
1660	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
2312	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
2312	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
2312	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
2312	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
3060	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
3060	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
3060	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
3060	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
2588	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
2588	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
2588	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
2588	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
3868	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
3868	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
3868	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
3868	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
1112	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
1112	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
1112	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
1112	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
1652	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
1652	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
1652	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
1652	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
2992	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
2992	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
2992	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
2992	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
4756	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
4756	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
4756	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
4756	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
364	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
364	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
364	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
364	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
4836	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
4836	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
4836	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
4836	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
2400	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
2400	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
2400	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
2400	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
3204	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
3204	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
3204	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
3204	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
3056	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
3056	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
3056	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
3056	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
3092	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
3092	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
3092	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
3092	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1448	ocUUkoAQ.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1448	ocUUkoAQ.exe
1448	ocUUkoAQ.exe
1448	ocUUkoAQ.exe
1448	ocUUkoAQ.exe
1448	ocUUkoAQ.exe
1448	ocUUkoAQ.exe
1448	ocUUkoAQ.exe
1448	ocUUkoAQ.exe
1448	ocUUkoAQ.exe
1448	ocUUkoAQ.exe
1448	ocUUkoAQ.exe
1448	ocUUkoAQ.exe
1448	ocUUkoAQ.exe
1448	ocUUkoAQ.exe
1448	ocUUkoAQ.exe
1448	ocUUkoAQ.exe
1448	ocUUkoAQ.exe
1448	ocUUkoAQ.exe
1448	ocUUkoAQ.exe
1448	ocUUkoAQ.exe
1448	ocUUkoAQ.exe
1448	ocUUkoAQ.exe
1448	ocUUkoAQ.exe
1448	ocUUkoAQ.exe
1448	ocUUkoAQ.exe
1448	ocUUkoAQ.exe
1448	ocUUkoAQ.exe
1448	ocUUkoAQ.exe
1448	ocUUkoAQ.exe
1448	ocUUkoAQ.exe
1448	ocUUkoAQ.exe
1448	ocUUkoAQ.exe
1448	ocUUkoAQ.exe
1448	ocUUkoAQ.exe
1448	ocUUkoAQ.exe
1448	ocUUkoAQ.exe
1448	ocUUkoAQ.exe
1448	ocUUkoAQ.exe
1448	ocUUkoAQ.exe
1448	ocUUkoAQ.exe
1448	ocUUkoAQ.exe
1448	ocUUkoAQ.exe
1448	ocUUkoAQ.exe
1448	ocUUkoAQ.exe
1448	ocUUkoAQ.exe
1448	ocUUkoAQ.exe
1448	ocUUkoAQ.exe
1448	ocUUkoAQ.exe
1448	ocUUkoAQ.exe
1448	ocUUkoAQ.exe
1448	ocUUkoAQ.exe
1448	ocUUkoAQ.exe
1448	ocUUkoAQ.exe
1448	ocUUkoAQ.exe
1448	ocUUkoAQ.exe
1448	ocUUkoAQ.exe
1448	ocUUkoAQ.exe
1448	ocUUkoAQ.exe
1448	ocUUkoAQ.exe
1448	ocUUkoAQ.exe
1448	ocUUkoAQ.exe
1448	ocUUkoAQ.exe
1448	ocUUkoAQ.exe
1448	ocUUkoAQ.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 1448	1696	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	83
PID 1696 wrote to memory of 1448	1696	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	83
PID 1696 wrote to memory of 1448	1696	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	83
PID 1696 wrote to memory of 4412	1696	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	84
PID 1696 wrote to memory of 4412	1696	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	84
PID 1696 wrote to memory of 4412	1696	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	84
PID 1696 wrote to memory of 3116	1696	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	87
PID 1696 wrote to memory of 3116	1696	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	87
PID 1696 wrote to memory of 3116	1696	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	87
PID 3116 wrote to memory of 1660	3116	cmd.exe	89
PID 3116 wrote to memory of 1660	3116	cmd.exe	89
PID 3116 wrote to memory of 1660	3116	cmd.exe	89
PID 1696 wrote to memory of 1396	1696	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	90
PID 1696 wrote to memory of 1396	1696	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	90
PID 1696 wrote to memory of 1396	1696	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	90
PID 1696 wrote to memory of 4996	1696	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	91
PID 1696 wrote to memory of 4996	1696	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	91
PID 1696 wrote to memory of 4996	1696	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	91
PID 1696 wrote to memory of 1452	1696	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	92
PID 1696 wrote to memory of 1452	1696	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	92
PID 1696 wrote to memory of 1452	1696	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	92
PID 1660 wrote to memory of 4812	1660	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	96
PID 1660 wrote to memory of 4812	1660	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	96
PID 1660 wrote to memory of 4812	1660	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	96
PID 1660 wrote to memory of 2228	1660	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	98
PID 1660 wrote to memory of 2228	1660	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	98
PID 1660 wrote to memory of 2228	1660	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	98
PID 1660 wrote to memory of 1916	1660	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	100
PID 1660 wrote to memory of 1916	1660	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	100
PID 1660 wrote to memory of 1916	1660	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	100
PID 1660 wrote to memory of 3948	1660	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	102
PID 1660 wrote to memory of 3948	1660	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	102
PID 1660 wrote to memory of 3948	1660	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	102
PID 1660 wrote to memory of 1376	1660	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	103
PID 1660 wrote to memory of 1376	1660	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	103
PID 1660 wrote to memory of 1376	1660	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	103
PID 4812 wrote to memory of 2312	4812	cmd.exe	106
PID 4812 wrote to memory of 2312	4812	cmd.exe	106
PID 4812 wrote to memory of 2312	4812	cmd.exe	106
PID 1376 wrote to memory of 1652	1376	cmd.exe	107
PID 1376 wrote to memory of 1652	1376	cmd.exe	107
PID 1376 wrote to memory of 1652	1376	cmd.exe	107
PID 2312 wrote to memory of 4616	2312	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	108
PID 2312 wrote to memory of 4616	2312	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	108
PID 2312 wrote to memory of 4616	2312	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	108
PID 4616 wrote to memory of 3060	4616	cmd.exe	110
PID 4616 wrote to memory of 3060	4616	cmd.exe	110
PID 4616 wrote to memory of 3060	4616	cmd.exe	110
PID 2312 wrote to memory of 2992	2312	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	111
PID 2312 wrote to memory of 2992	2312	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	111
PID 2312 wrote to memory of 2992	2312	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	111
PID 2312 wrote to memory of 5084	2312	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	112
PID 2312 wrote to memory of 5084	2312	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	112
PID 2312 wrote to memory of 5084	2312	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	112
PID 2312 wrote to memory of 4820	2312	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	113
PID 2312 wrote to memory of 4820	2312	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	113
PID 2312 wrote to memory of 4820	2312	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	113
PID 2312 wrote to memory of 3636	2312	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	118
PID 2312 wrote to memory of 3636	2312	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	118
PID 2312 wrote to memory of 3636	2312	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	118
PID 3636 wrote to memory of 2488	3636	cmd.exe	119
PID 3636 wrote to memory of 2488	3636	cmd.exe	119
PID 3636 wrote to memory of 2488	3636	cmd.exe	119
PID 3060 wrote to memory of 2388	3060	26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe	120

C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
"C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Users\Admin\HCEoIcgI\ocUUkoAQ.exe
  "C:\Users\Admin\HCEoIcgI\ocUUkoAQ.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:1448
- C:\ProgramData\sGYMwMYw\BGgYcYEw.exe
  "C:\ProgramData\sGYMwMYw\BGgYcYEw.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4412
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3116
- - C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
    C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1660
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4812
    - - C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2312
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e"
        8⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e"
        10⤵
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e"
        12⤵
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e"
        14⤵
        
        PID:3520
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e"
        16⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e"
        18⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e"
        20⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e"
        22⤵
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e"
        24⤵
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e"
        26⤵
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e"
        28⤵
        
        PID:3792
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e"
        30⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e"
        32⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e
        33⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e"
        34⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e
        35⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e"
        36⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e
        37⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e"
        38⤵
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e
        39⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e"
        40⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e
        41⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e"
        42⤵
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e
        43⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e"
        44⤵
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e
        45⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e"
        46⤵
        
        PID:3460
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e
        47⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e"
        48⤵
        
        PID:3096
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e
        49⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e"
        50⤵
        
        PID:3820
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e
        51⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e"
        52⤵
        
        PID:3908
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e
        53⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        
        PID:4860
        
        C:\Users\Admin\fksIMMsw\OWcEgAUk.exe
        
        "C:\Users\Admin\fksIMMsw\OWcEgAUk.exe"
        54⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 272
        55⤵
        Program crash
        
        PID:2324
        
        C:\ProgramData\diIsEgMY\BKkkgMUY.exe
        
        "C:\ProgramData\diIsEgMY\BKkkgMUY.exe"
        54⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 360
        55⤵
        Program crash
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e"
        54⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe
        
        C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e
        55⤵
        
        PID:532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        Modifies registry key
        
        PID:1104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        Modifies registry key
        
        PID:4080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        Modifies registry key
        
        PID:1692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        Modifies registry key
        
        PID:4008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pwYAUYgM.bat" "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe""
        54⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fuYgcUkI.bat" "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe""
        52⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        Modifies registry key
        
        PID:2732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        Modifies registry key
        
        PID:2384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ksYEsgkM.bat" "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe""
        50⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        Modifies registry key
        
        PID:2508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        Modifies registry key
        
        PID:756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WoAssssc.bat" "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe""
        48⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:3740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nUwIkosw.bat" "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe""
        46⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        Modifies registry key
        
        PID:1260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        Modifies registry key
        
        PID:2636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DMMQgggE.bat" "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe""
        44⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:3624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        Modifies registry key
        
        PID:5076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SgUsoUAA.bat" "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe""
        42⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        Modifies registry key
        
        PID:2180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        Modifies registry key
        
        PID:4860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NSkoUQAI.bat" "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe""
        40⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        Modifies registry key
        
        PID:1376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        Modifies registry key
        
        PID:3792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        Modifies registry key
        
        PID:3860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        Modifies registry key
        
        PID:208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VoUskwQo.bat" "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe""
        38⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ywMoooMQ.bat" "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe""
        36⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        Modifies registry key
        
        PID:3528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        Modifies registry key
        
        PID:3168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dawwkEEw.bat" "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe""
        34⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        Modifies registry key
        
        PID:312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        Modifies registry key
        
        PID:3312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kmoskkkI.bat" "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe""
        32⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        Modifies registry key
        
        PID:2240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        Modifies registry key
        
        PID:1404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UwsscskY.bat" "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe""
        30⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        Modifies registry key
        
        PID:2184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        Modifies registry key
        
        PID:4724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        Modifies registry key
        
        PID:3176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:3636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wigQIgEA.bat" "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe""
        28⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qccMQwMY.bat" "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe""
        26⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        Modifies registry key
        
        PID:4032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:1712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        Modifies registry key
        
        PID:3484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\paQMwkkc.bat" "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe""
        24⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QkEAEoEU.bat" "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe""
        22⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        Modifies registry key
        
        PID:1396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        Modifies registry key
        
        PID:3624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JsocogkQ.bat" "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe""
        20⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        Modifies registry key
        
        PID:2180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        Modifies registry key
        
        PID:3980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        Modifies registry key
        
        PID:3088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MaQYMcYU.bat" "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe""
        18⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:3756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        Modifies registry key
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SuUwsYsY.bat" "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe""
        16⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        Modifies registry key
        
        PID:532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UOAIEIkI.bat" "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe""
        14⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        Modifies registry key
        
        PID:3836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DossAocw.bat" "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe""
        12⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        Modifies registry key
        
        PID:1692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:3980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        Modifies registry key
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hGYEwoIE.bat" "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe""
        10⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        Modifies registry key
        
        PID:4244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        Modifies registry key
        
        PID:4628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fgAMUsEU.bat" "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe""
        8⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:4380
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2992
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:5084
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        Modifies registry key
        
        PID:4820
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GCMQgEwU.bat" "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe""
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:2488
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies registry key
      PID:2228
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:1916
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:3948
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ycMIwgEw.bat" "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1376
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1652
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:1396
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:4996
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:1452
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fsQUEAME.bat" "C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e.exe""
  2⤵
  PID:2196
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1396

C:\ProgramData\hwIkAcIg\pQooMMAk.exe
C:\ProgramData\hwIkAcIg\pQooMMAk.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:4696

C:\ProgramData\ZIgQIIgk\awIckgcg.exe
C:\ProgramData\ZIgQIIgk\awIckgcg.exe
1⤵
PID:3748
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 260
  2⤵
  - Program crash
  PID:3300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4048 -ip 4048
1⤵
PID:2996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3748 -ip 3748
1⤵
PID:3884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 5080 -ip 5080
1⤵
PID:3564

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\hwIkAcIg\pQooMMAk.exe

Filesize
982KB

MD5
4090224eef0d5b78e33d41e5c91558b9

SHA1
d3fb18ac749e394cd92dd193e1267294dee61f49

SHA256
3bd7105f685fb0c87dc3982897a7e1492d3ca42b15cbab87521fe9b18f839dc4

SHA512
30ac7cbe8cc8b26035ca009f048211faa2e91ee785cf1cbfccdf6a748b60c466146fd5ab1502fbd31a828a1d07445b40ecbaca34743193378683226279023e58

Download Submit
C:\ProgramData\hwIkAcIg\pQooMMAk.exe

Filesize
982KB

MD5
4090224eef0d5b78e33d41e5c91558b9

SHA1
d3fb18ac749e394cd92dd193e1267294dee61f49

SHA256
3bd7105f685fb0c87dc3982897a7e1492d3ca42b15cbab87521fe9b18f839dc4

SHA512
30ac7cbe8cc8b26035ca009f048211faa2e91ee785cf1cbfccdf6a748b60c466146fd5ab1502fbd31a828a1d07445b40ecbaca34743193378683226279023e58

Download Submit
C:\ProgramData\sGYMwMYw\BGgYcYEw.exe

Filesize
981KB

MD5
b44a48a2f39bdc202e64cbdde969fb36

SHA1
2209efca272388b243443d39e2d65394800ac1bf

SHA256
63cabbb5f6571523f8f968aa27571d6d649f9d7039a02ec5a5884351fcd0b081

SHA512
6a65aba42540cf859b35b40edc11d09055d115c02ef86afce6f9093d820c96e28b28d90714c8fd454013c1ead47ca7b1d4d9647bd0d9b30dd1754db3ca0be040

Download Submit
C:\ProgramData\sGYMwMYw\BGgYcYEw.exe

Filesize
981KB

MD5
b44a48a2f39bdc202e64cbdde969fb36

SHA1
2209efca272388b243443d39e2d65394800ac1bf

SHA256
63cabbb5f6571523f8f968aa27571d6d649f9d7039a02ec5a5884351fcd0b081

SHA512
6a65aba42540cf859b35b40edc11d09055d115c02ef86afce6f9093d820c96e28b28d90714c8fd454013c1ead47ca7b1d4d9647bd0d9b30dd1754db3ca0be040

Download Submit
C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e

Filesize
6KB

MD5
59513752b20c9e3510db31c99dfc5c60

SHA1
cbfd0cd3f52fee958f730d8d31b2372370bf26f3

SHA256
4cb21f95bccd80bca6baa955d8f9dcc1837e5a561d1585c9aaecdd7d377db8ab

SHA512
08479b2361a3b3d6a80d47260442718a7ce0f72547471b2b674aefa3dbeed7fa012df9c37efae73d729cf973f579672ca996a48552359ecc1fb2b4b32eeeb560

Download Submit
C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e

Filesize
6KB

MD5
59513752b20c9e3510db31c99dfc5c60

SHA1
cbfd0cd3f52fee958f730d8d31b2372370bf26f3

SHA256
4cb21f95bccd80bca6baa955d8f9dcc1837e5a561d1585c9aaecdd7d377db8ab

SHA512
08479b2361a3b3d6a80d47260442718a7ce0f72547471b2b674aefa3dbeed7fa012df9c37efae73d729cf973f579672ca996a48552359ecc1fb2b4b32eeeb560

Download Submit
C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e

Filesize
6KB

MD5
59513752b20c9e3510db31c99dfc5c60

SHA1
cbfd0cd3f52fee958f730d8d31b2372370bf26f3

SHA256
4cb21f95bccd80bca6baa955d8f9dcc1837e5a561d1585c9aaecdd7d377db8ab

SHA512
08479b2361a3b3d6a80d47260442718a7ce0f72547471b2b674aefa3dbeed7fa012df9c37efae73d729cf973f579672ca996a48552359ecc1fb2b4b32eeeb560

Download Submit
C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e

Filesize
6KB

MD5
59513752b20c9e3510db31c99dfc5c60

SHA1
cbfd0cd3f52fee958f730d8d31b2372370bf26f3

SHA256
4cb21f95bccd80bca6baa955d8f9dcc1837e5a561d1585c9aaecdd7d377db8ab

SHA512
08479b2361a3b3d6a80d47260442718a7ce0f72547471b2b674aefa3dbeed7fa012df9c37efae73d729cf973f579672ca996a48552359ecc1fb2b4b32eeeb560

Download Submit
C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e

Filesize
6KB

MD5
59513752b20c9e3510db31c99dfc5c60

SHA1
cbfd0cd3f52fee958f730d8d31b2372370bf26f3

SHA256
4cb21f95bccd80bca6baa955d8f9dcc1837e5a561d1585c9aaecdd7d377db8ab

SHA512
08479b2361a3b3d6a80d47260442718a7ce0f72547471b2b674aefa3dbeed7fa012df9c37efae73d729cf973f579672ca996a48552359ecc1fb2b4b32eeeb560

Download Submit
C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e

Filesize
6KB

MD5
59513752b20c9e3510db31c99dfc5c60

SHA1
cbfd0cd3f52fee958f730d8d31b2372370bf26f3

SHA256
4cb21f95bccd80bca6baa955d8f9dcc1837e5a561d1585c9aaecdd7d377db8ab

SHA512
08479b2361a3b3d6a80d47260442718a7ce0f72547471b2b674aefa3dbeed7fa012df9c37efae73d729cf973f579672ca996a48552359ecc1fb2b4b32eeeb560

Download Submit
C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e

Filesize
6KB

MD5
59513752b20c9e3510db31c99dfc5c60

SHA1
cbfd0cd3f52fee958f730d8d31b2372370bf26f3

SHA256
4cb21f95bccd80bca6baa955d8f9dcc1837e5a561d1585c9aaecdd7d377db8ab

SHA512
08479b2361a3b3d6a80d47260442718a7ce0f72547471b2b674aefa3dbeed7fa012df9c37efae73d729cf973f579672ca996a48552359ecc1fb2b4b32eeeb560

Download Submit
C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e

Filesize
6KB

MD5
59513752b20c9e3510db31c99dfc5c60

SHA1
cbfd0cd3f52fee958f730d8d31b2372370bf26f3

SHA256
4cb21f95bccd80bca6baa955d8f9dcc1837e5a561d1585c9aaecdd7d377db8ab

SHA512
08479b2361a3b3d6a80d47260442718a7ce0f72547471b2b674aefa3dbeed7fa012df9c37efae73d729cf973f579672ca996a48552359ecc1fb2b4b32eeeb560

Download Submit
C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e

Filesize
6KB

MD5
59513752b20c9e3510db31c99dfc5c60

SHA1
cbfd0cd3f52fee958f730d8d31b2372370bf26f3

SHA256
4cb21f95bccd80bca6baa955d8f9dcc1837e5a561d1585c9aaecdd7d377db8ab

SHA512
08479b2361a3b3d6a80d47260442718a7ce0f72547471b2b674aefa3dbeed7fa012df9c37efae73d729cf973f579672ca996a48552359ecc1fb2b4b32eeeb560

Download Submit
C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e

Filesize
6KB

MD5
59513752b20c9e3510db31c99dfc5c60

SHA1
cbfd0cd3f52fee958f730d8d31b2372370bf26f3

SHA256
4cb21f95bccd80bca6baa955d8f9dcc1837e5a561d1585c9aaecdd7d377db8ab

SHA512
08479b2361a3b3d6a80d47260442718a7ce0f72547471b2b674aefa3dbeed7fa012df9c37efae73d729cf973f579672ca996a48552359ecc1fb2b4b32eeeb560

Download Submit
C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e

Filesize
6KB

MD5
59513752b20c9e3510db31c99dfc5c60

SHA1
cbfd0cd3f52fee958f730d8d31b2372370bf26f3

SHA256
4cb21f95bccd80bca6baa955d8f9dcc1837e5a561d1585c9aaecdd7d377db8ab

SHA512
08479b2361a3b3d6a80d47260442718a7ce0f72547471b2b674aefa3dbeed7fa012df9c37efae73d729cf973f579672ca996a48552359ecc1fb2b4b32eeeb560

Download Submit
C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e

Filesize
6KB

MD5
59513752b20c9e3510db31c99dfc5c60

SHA1
cbfd0cd3f52fee958f730d8d31b2372370bf26f3

SHA256
4cb21f95bccd80bca6baa955d8f9dcc1837e5a561d1585c9aaecdd7d377db8ab

SHA512
08479b2361a3b3d6a80d47260442718a7ce0f72547471b2b674aefa3dbeed7fa012df9c37efae73d729cf973f579672ca996a48552359ecc1fb2b4b32eeeb560

Download Submit
C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e

Filesize
6KB

MD5
59513752b20c9e3510db31c99dfc5c60

SHA1
cbfd0cd3f52fee958f730d8d31b2372370bf26f3

SHA256
4cb21f95bccd80bca6baa955d8f9dcc1837e5a561d1585c9aaecdd7d377db8ab

SHA512
08479b2361a3b3d6a80d47260442718a7ce0f72547471b2b674aefa3dbeed7fa012df9c37efae73d729cf973f579672ca996a48552359ecc1fb2b4b32eeeb560

Download Submit
C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e

Filesize
6KB

MD5
59513752b20c9e3510db31c99dfc5c60

SHA1
cbfd0cd3f52fee958f730d8d31b2372370bf26f3

SHA256
4cb21f95bccd80bca6baa955d8f9dcc1837e5a561d1585c9aaecdd7d377db8ab

SHA512
08479b2361a3b3d6a80d47260442718a7ce0f72547471b2b674aefa3dbeed7fa012df9c37efae73d729cf973f579672ca996a48552359ecc1fb2b4b32eeeb560

Download Submit
C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e

Filesize
6KB

MD5
59513752b20c9e3510db31c99dfc5c60

SHA1
cbfd0cd3f52fee958f730d8d31b2372370bf26f3

SHA256
4cb21f95bccd80bca6baa955d8f9dcc1837e5a561d1585c9aaecdd7d377db8ab

SHA512
08479b2361a3b3d6a80d47260442718a7ce0f72547471b2b674aefa3dbeed7fa012df9c37efae73d729cf973f579672ca996a48552359ecc1fb2b4b32eeeb560

Download Submit
C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e

Filesize
6KB

MD5
59513752b20c9e3510db31c99dfc5c60

SHA1
cbfd0cd3f52fee958f730d8d31b2372370bf26f3

SHA256
4cb21f95bccd80bca6baa955d8f9dcc1837e5a561d1585c9aaecdd7d377db8ab

SHA512
08479b2361a3b3d6a80d47260442718a7ce0f72547471b2b674aefa3dbeed7fa012df9c37efae73d729cf973f579672ca996a48552359ecc1fb2b4b32eeeb560

Download Submit
C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e

Filesize
6KB

MD5
59513752b20c9e3510db31c99dfc5c60

SHA1
cbfd0cd3f52fee958f730d8d31b2372370bf26f3

SHA256
4cb21f95bccd80bca6baa955d8f9dcc1837e5a561d1585c9aaecdd7d377db8ab

SHA512
08479b2361a3b3d6a80d47260442718a7ce0f72547471b2b674aefa3dbeed7fa012df9c37efae73d729cf973f579672ca996a48552359ecc1fb2b4b32eeeb560

Download Submit
C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e

Filesize
6KB

MD5
59513752b20c9e3510db31c99dfc5c60

SHA1
cbfd0cd3f52fee958f730d8d31b2372370bf26f3

SHA256
4cb21f95bccd80bca6baa955d8f9dcc1837e5a561d1585c9aaecdd7d377db8ab

SHA512
08479b2361a3b3d6a80d47260442718a7ce0f72547471b2b674aefa3dbeed7fa012df9c37efae73d729cf973f579672ca996a48552359ecc1fb2b4b32eeeb560

Download Submit
C:\Users\Admin\AppData\Local\Temp\26ee3aa1dededda3d52a821524deb7145c21baeba5ad5e5a2bcf4b93dfe23b8e

Filesize
6KB

MD5
59513752b20c9e3510db31c99dfc5c60

SHA1
cbfd0cd3f52fee958f730d8d31b2372370bf26f3

SHA256
4cb21f95bccd80bca6baa955d8f9dcc1837e5a561d1585c9aaecdd7d377db8ab

SHA512
08479b2361a3b3d6a80d47260442718a7ce0f72547471b2b674aefa3dbeed7fa012df9c37efae73d729cf973f579672ca996a48552359ecc1fb2b4b32eeeb560

Download Submit
C:\Users\Admin\AppData\Local\Temp\DossAocw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\GCMQgEwU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\JsocogkQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\MaQYMcYU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\NSkoUQAI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\QkEAEoEU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\SuUwsYsY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\UOAIEIkI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\UwsscskY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\VoUskwQo.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\dawwkEEw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\fgAMUsEU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fsQUEAME.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\hGYEwoIE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\kmoskkkI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\paQMwkkc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\qccMQwMY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\wigQIgEA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ycMIwgEw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywMoooMQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\HCEoIcgI\ocUUkoAQ.exe

Filesize
983KB

MD5
7a46afc745d8fbed67c034ebd817a092

SHA1
412e087465e5b7ac5f0afb549dfcbeb33c2fac2e

SHA256
33d1a76ec2dd73446b64a7c9a6a1642ad96da05dba8d33054d25faaae8d93f9a

SHA512
8f93b8ba0cc6f9a901ea4e2d55cc7306395343d01c5b9b0688a677e3a35de884243433cf9e93e9219fc3d666f0a0a1d9d0a5b0ec31c2ed850dd40b5cd2a0ab08

Download Submit
C:\Users\Admin\HCEoIcgI\ocUUkoAQ.exe

Filesize
983KB

MD5
7a46afc745d8fbed67c034ebd817a092

SHA1
412e087465e5b7ac5f0afb549dfcbeb33c2fac2e

SHA256
33d1a76ec2dd73446b64a7c9a6a1642ad96da05dba8d33054d25faaae8d93f9a

SHA512
8f93b8ba0cc6f9a901ea4e2d55cc7306395343d01c5b9b0688a677e3a35de884243433cf9e93e9219fc3d666f0a0a1d9d0a5b0ec31c2ed850dd40b5cd2a0ab08

Download Submit
memory/364-261-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/364-264-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/1112-227-0x0000000004A00000-0x0000000004A26000-memory.dmp

Filesize
152KB

Download
memory/1112-225-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/1112-215-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/1112-226-0x00000000023C0000-0x00000000023C5000-memory.dmp

Filesize
20KB

Download
memory/1448-139-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/1448-147-0x00000000049E0000-0x0000000004A06000-memory.dmp

Filesize
152KB

Download
memory/1448-192-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/1608-290-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/1608-297-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/1652-229-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/1652-240-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/1660-155-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/1660-163-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/1684-299-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/1684-302-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/1696-292-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/1696-132-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/1696-135-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/1696-134-0x00000000049E0000-0x0000000004A06000-memory.dmp

Filesize
152KB

Download
memory/1696-133-0x00000000049D0000-0x00000000049D5000-memory.dmp

Filesize
20KB

Download
memory/1968-315-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/1968-313-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/1980-307-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/1980-305-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/2312-164-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/2312-175-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/2400-274-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/2400-272-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/2588-188-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/2588-200-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/2992-252-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/2992-241-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/3056-285-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/3056-282-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/3060-323-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/3060-322-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/3060-179-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/3060-187-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/3092-289-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/3092-284-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/3204-279-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/3204-276-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/3580-312-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/3580-308-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/3868-203-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/3868-213-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/3948-320-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/3948-321-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/4048-316-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/4048-317-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/4128-319-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/4128-318-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/4412-201-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/4412-145-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/4696-146-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/4696-153-0x0000000003690000-0x0000000003695000-memory.dmp

Filesize
20KB

Download
memory/4696-202-0x0000000000400000-0x00000000004F8000-memory.dmp

Filesize
992KB

Download
memory/4696-154-0x00000000036A0000-0x00000000036C6000-memory.dmp

Filesize
152KB

Download
memory/4756-253-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/4756-259-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/4836-266-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/4836-269-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download