49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297

Analysis

max time kernel
176s
max time network
172s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 11:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
Size

504KB
MD5

63af7fee2f39d6064aa58cd616f97400
SHA1

a82451a52cc6d59acc301c8dbd4f9c30c1884f4e
SHA256

49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297
SHA512

51471996cca503e9523dd084c65ba0c9a431c0dd262ae1d60cb4214343e20bd4acbc7a4e9c8884c692a074113089c8cdaf5e7eedd267f1ebb90699f14a92a14e
SSDEEP

12288:LFA01s79ob0Ux+DMzyAtP5Q5xEzCIyVHkZvFZT/jD5m69:nO9oAa9yV5xEzCXVHINZo69

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\nCIYgAMU\\MewEQosU.exe,"	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\ProgramData\\nCIYgAMU\\MewEQosU.exe,"	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe

Modifies visibility of file extensions in Explorer 2 TTPs 47 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 47 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
1052	lUwocMUo.exe
1284	MewEQosU.exe
1984	EuoIQQww.exe

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File created	C:\Users\Admin\Pictures\RemoveTrace.png.exe	lUwocMUo.exe
File created	C:\Users\Admin\Pictures\UnpublishAssert.png.exe	lUwocMUo.exe

Loads dropped DLL 22 IoCs

pid	Process
1348	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
1348	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
1348	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
1348	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
1052	lUwocMUo.exe
1052	lUwocMUo.exe
1052	lUwocMUo.exe
1052	lUwocMUo.exe
1052	lUwocMUo.exe
1052	lUwocMUo.exe
1052	lUwocMUo.exe
1052	lUwocMUo.exe
1052	lUwocMUo.exe
1052	lUwocMUo.exe
1052	lUwocMUo.exe
1052	lUwocMUo.exe
1052	lUwocMUo.exe
1052	lUwocMUo.exe
1052	lUwocMUo.exe
1052	lUwocMUo.exe
1052	lUwocMUo.exe
1052	lUwocMUo.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MewEQosU.exe = "C:\\ProgramData\\nCIYgAMU\\MewEQosU.exe"	EuoIQQww.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\lUwocMUo.exe = "C:\\Users\\Admin\\diMkgwUk\\lUwocMUo.exe"	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MewEQosU.exe = "C:\\ProgramData\\nCIYgAMU\\MewEQosU.exe"	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\lUwocMUo.exe = "C:\\Users\\Admin\\diMkgwUk\\lUwocMUo.exe"	lUwocMUo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MewEQosU.exe = "C:\\ProgramData\\nCIYgAMU\\MewEQosU.exe"	MewEQosU.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\diMkgwUk	EuoIQQww.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\diMkgwUk\lUwocMUo	EuoIQQww.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
1844	reg.exe
1740	reg.exe
1048	reg.exe
1156	reg.exe
1612	reg.exe
1652	reg.exe
952	reg.exe
1744	reg.exe
1708	reg.exe
1524	reg.exe
1844	reg.exe
1612	reg.exe
1420	reg.exe
1936	reg.exe
1140	reg.exe
1812	reg.exe
1368	reg.exe
836	reg.exe
1936	reg.exe
1364	reg.exe
1688	reg.exe
1368	reg.exe
1336	reg.exe
1972	reg.exe
1816	reg.exe
1884	reg.exe
2044	reg.exe
1668	reg.exe
1036	reg.exe
1192	reg.exe
1364	reg.exe
108	reg.exe
1412	reg.exe
1472	reg.exe
1500	reg.exe
1020	reg.exe
1592	reg.exe
1420	reg.exe
1828	reg.exe
1436	reg.exe
1476	reg.exe
1220	reg.exe
1996	reg.exe
904	reg.exe
1036	reg.exe
1972	reg.exe
1996	reg.exe
1324	reg.exe
1600	reg.exe
1980	reg.exe
1408	reg.exe
1728	reg.exe
1420	reg.exe
1660	reg.exe
1976	reg.exe
1652	reg.exe
1616	reg.exe
900	reg.exe
1744	reg.exe
1708	reg.exe
1616	reg.exe
1616	reg.exe
2008	reg.exe
1012	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1348	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
1348	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
1020	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
1020	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
832	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
832	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
1592	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
1592	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
1436	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
1436	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
1708	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
1708	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
1688	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
1688	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
1436	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
1436	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
576	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
576	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
1472	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
1472	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
760	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
760	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
1604	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
1604	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
1820	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
1820	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
1976	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
1976	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
1744	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
1744	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
1832	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
1832	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
760	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
760	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
1796	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
1796	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
1964	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
1964	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
1540	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
1540	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
1744	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
1744	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
1692	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
1692	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
1036	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
1036	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
1256	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
1256	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
1436	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
1436	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
1520	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
1520	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
1964	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
1964	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
1032	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
1032	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
1100	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
1100	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
1960	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
1960	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
108	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
108	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
1420	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
1420	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 1052	1348	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe	27
PID 1348 wrote to memory of 1052	1348	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe	27
PID 1348 wrote to memory of 1052	1348	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe	27
PID 1348 wrote to memory of 1052	1348	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe	27
PID 1348 wrote to memory of 1284	1348	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe	28
PID 1348 wrote to memory of 1284	1348	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe	28
PID 1348 wrote to memory of 1284	1348	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe	28
PID 1348 wrote to memory of 1284	1348	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe	28
PID 1348 wrote to memory of 1408	1348	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe	30
PID 1348 wrote to memory of 1408	1348	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe	30
PID 1348 wrote to memory of 1408	1348	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe	30
PID 1348 wrote to memory of 1408	1348	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe	30
PID 1408 wrote to memory of 1020	1408	cmd.exe	32
PID 1408 wrote to memory of 1020	1408	cmd.exe	32
PID 1408 wrote to memory of 1020	1408	cmd.exe	32
PID 1408 wrote to memory of 1020	1408	cmd.exe	32
PID 1348 wrote to memory of 980	1348	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe	33
PID 1348 wrote to memory of 980	1348	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe	33
PID 1348 wrote to memory of 980	1348	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe	33
PID 1348 wrote to memory of 980	1348	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe	33
PID 1348 wrote to memory of 1620	1348	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe	34
PID 1348 wrote to memory of 1620	1348	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe	34
PID 1348 wrote to memory of 1620	1348	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe	34
PID 1348 wrote to memory of 1620	1348	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe	34
PID 1348 wrote to memory of 1708	1348	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe	36
PID 1348 wrote to memory of 1708	1348	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe	36
PID 1348 wrote to memory of 1708	1348	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe	36
PID 1348 wrote to memory of 1708	1348	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe	36
PID 1020 wrote to memory of 1400	1020	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe	39
PID 1020 wrote to memory of 1400	1020	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe	39
PID 1020 wrote to memory of 1400	1020	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe	39
PID 1020 wrote to memory of 1400	1020	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe	39
PID 1400 wrote to memory of 832	1400	cmd.exe	41
PID 1400 wrote to memory of 832	1400	cmd.exe	41
PID 1400 wrote to memory of 832	1400	cmd.exe	41
PID 1400 wrote to memory of 832	1400	cmd.exe	41
PID 1020 wrote to memory of 828	1020	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe	42
PID 1020 wrote to memory of 828	1020	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe	42
PID 1020 wrote to memory of 828	1020	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe	42
PID 1020 wrote to memory of 828	1020	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe	42
PID 1020 wrote to memory of 1472	1020	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe	46
PID 1020 wrote to memory of 1472	1020	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe	46
PID 1020 wrote to memory of 1472	1020	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe	46
PID 1020 wrote to memory of 1472	1020	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe	46
PID 1020 wrote to memory of 1140	1020	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe	44
PID 1020 wrote to memory of 1140	1020	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe	44
PID 1020 wrote to memory of 1140	1020	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe	44
PID 1020 wrote to memory of 1140	1020	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe	44
PID 1020 wrote to memory of 1748	1020	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe	47
PID 1020 wrote to memory of 1748	1020	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe	47
PID 1020 wrote to memory of 1748	1020	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe	47
PID 1020 wrote to memory of 1748	1020	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe	47
PID 1748 wrote to memory of 1796	1748	cmd.exe	50
PID 1748 wrote to memory of 1796	1748	cmd.exe	50
PID 1748 wrote to memory of 1796	1748	cmd.exe	50
PID 1748 wrote to memory of 1796	1748	cmd.exe	50
PID 832 wrote to memory of 1600	832	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe	51
PID 832 wrote to memory of 1600	832	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe	51
PID 832 wrote to memory of 1600	832	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe	51
PID 832 wrote to memory of 1600	832	49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe	51
PID 1600 wrote to memory of 1592	1600	cmd.exe	53
PID 1600 wrote to memory of 1592	1600	cmd.exe	53
PID 1600 wrote to memory of 1592	1600	cmd.exe	53
PID 1600 wrote to memory of 1592	1600	cmd.exe	53

C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
"C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Users\Admin\diMkgwUk\lUwocMUo.exe
  "C:\Users\Admin\diMkgwUk\lUwocMUo.exe"
  2⤵
  - Executes dropped EXE
  - Modifies extensions of user files
  - Loads dropped DLL
  - Adds Run key to start application
  PID:1052
- C:\ProgramData\nCIYgAMU\MewEQosU.exe
  "C:\ProgramData\nCIYgAMU\MewEQosU.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1284
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1408
- - C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
    C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1020
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1400
    - - C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:832
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297"
        8⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297"
        10⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SoIsAkMg.bat" "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe""
        10⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        Modifies registry key
        
        PID:1500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iWMMkQII.bat" "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe""
        8⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:836
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2040
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:1820
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:1824
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\byIwIwog.bat" "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe""
        6⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:1940
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:828
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:1140
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:1472
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\OKAMwoEc.bat" "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1748
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1796
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:980
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1620
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:1708
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\fSUQAAwo.bat" "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe""
  2⤵
  PID:1752
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1708

C:\ProgramData\oOYEgsEk\EuoIQQww.exe
C:\ProgramData\oOYEgsEk\EuoIQQww.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1984

C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1708
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297"
  2⤵
  PID:1060
- - C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
    C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1688
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297"
      4⤵
      PID:984
    - - C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1436
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297"
        6⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297"
        8⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297"
        10⤵
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297"
        12⤵
        
        PID:524
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297"
        14⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297"
        16⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297"
        18⤵
        
        PID:1412
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297"
        20⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297"
        22⤵
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297"
        24⤵
        
        PID:1192
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297"
        26⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297"
        28⤵
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297"
        30⤵
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297"
        32⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297
        33⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297"
        34⤵
        
        PID:900
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297
        35⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297"
        36⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297
        37⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297"
        38⤵
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297
        39⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297"
        40⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297
        41⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297"
        42⤵
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297
        43⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297"
        44⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297
        45⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297"
        46⤵
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297
        47⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1100
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297"
        48⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297
        49⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297"
        50⤵
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297
        51⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297"
        52⤵
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297
        53⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297"
        54⤵
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297
        55⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297"
        56⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297
        57⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297"
        58⤵
        
        PID:576
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297
        59⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297"
        60⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297
        61⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297"
        62⤵
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297
        63⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297"
        64⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297
        65⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297"
        66⤵
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297
        67⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297"
        68⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297
        69⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297"
        70⤵
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297
        71⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297"
        72⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297
        73⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297"
        74⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297
        75⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297"
        76⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297
        77⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297"
        78⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297
        79⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297"
        80⤵
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297
        81⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297"
        82⤵
        
        PID:1232
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297
        83⤵
        
        PID:820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297"
        84⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297
        85⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297"
        86⤵
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe
        
        C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297
        87⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        Modifies registry key
        
        PID:1436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gWEsgEAg.bat" "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe""
        84⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        Modifies registry key
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cIYswkEw.bat" "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe""
        82⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        Modifies registry key
        
        PID:900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vKUowcok.bat" "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe""
        80⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        Modifies registry key
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WsgUcgYo.bat" "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe""
        78⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        Modifies registry key
        
        PID:1744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        Modifies registry key
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SakYkAwQ.bat" "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe""
        76⤵
        
        PID:108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        Modifies registry key
        
        PID:1368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XagQcgUM.bat" "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe""
        74⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\yIEwIcUI.bat" "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe""
        72⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:1160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        Modifies registry key
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\XgEIYYwI.bat" "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe""
        70⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        Modifies registry key
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:1172
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qAskcwok.bat" "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe""
        68⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        Modifies registry key
        
        PID:1408
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IsYAUUsk.bat" "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe""
        66⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        Modifies registry key
        
        PID:1844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        
        PID:1060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bUwgUosE.bat" "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe""
        64⤵
        
        PID:108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        Modifies registry key
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iUMccUQs.bat" "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe""
        62⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PUUAooIw.bat" "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe""
        60⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        Modifies registry key
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lsgkkoMg.bat" "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe""
        58⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ocgMgokQ.bat" "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe""
        56⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        Modifies registry key
        
        PID:1412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        Modifies registry key
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PgsUsIYI.bat" "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe""
        54⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        Modifies registry key
        
        PID:1980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        Modifies registry key
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BAIoAwQM.bat" "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe""
        52⤵
        
        PID:900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vSwQoUUI.bat" "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe""
        50⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TUskQwIc.bat" "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe""
        48⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        Modifies registry key
        
        PID:1600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nIwMMMMg.bat" "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe""
        46⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        Modifies registry key
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        Modifies registry key
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aMsEQcIw.bat" "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe""
        44⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        Modifies registry key
        
        PID:1156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JQAcwQMo.bat" "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe""
        42⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        Modifies registry key
        
        PID:108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KiAIcsoo.bat" "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe""
        40⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        Modifies registry key
        
        PID:1324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        Modifies registry key
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        Modifies registry key
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        Modifies registry key
        
        PID:1364
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tqkIYEss.bat" "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe""
        38⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        Modifies registry key
        
        PID:1192
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aEQEoskk.bat" "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe""
        36⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        Modifies registry key
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BmcQkUgE.bat" "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe""
        34⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jSsAsYoQ.bat" "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe""
        32⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        Modifies registry key
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        Modifies registry key
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZAocccUI.bat" "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe""
        30⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SQAsEcME.bat" "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe""
        28⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        Modifies registry key
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZGEYQQkw.bat" "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe""
        26⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        Modifies registry key
        
        PID:1048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        Modifies registry key
        
        PID:1844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BeQEIEYY.bat" "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe""
        24⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        Modifies registry key
        
        PID:1036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TMokAEQQ.bat" "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe""
        22⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        
        PID:1172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\hGgAogQw.bat" "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe""
        20⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SGMwgckU.bat" "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe""
        18⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        Modifies registry key
        
        PID:904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:1220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        Modifies registry key
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:1324
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BGsoIEUI.bat" "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe""
        16⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        Modifies registry key
        
        PID:1368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QWMEsYck.bat" "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe""
        14⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        Modifies registry key
        
        PID:1020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qiQYsYow.bat" "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe""
        12⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        Modifies registry key
        
        PID:1884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rAkIMEQA.bat" "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe""
        10⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pYUgAwcA.bat" "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe""
        8⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:1232
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1524
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:840
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        Modifies registry key
        
        PID:1336
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\gmsIEkks.bat" "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe""
        6⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:1968
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:1472
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:1740
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:1476
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\CiAkcEoU.bat" "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe""
      4⤵
      PID:760
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1780
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:1812
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1624
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:1976
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:1660
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\OwAowUcc.bat" "C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297.exe""
  2⤵
  PID:1032
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\nCIYgAMU\MewEQosU.exe

Filesize
479KB

MD5
581c96f9ed3f5407c7798177a135689c

SHA1
104c2bfe5e32bab627d3426f33566d686efe7e00

SHA256
18e40a8f38c04717a8b27cb65e10eb3a3914d3279e07107af6cd304b3a886343

SHA512
e47466110ef64c846d16ef591ccb247d5fd0df8182969879b657782c374350a13f5552c0f58049d3fc420f6a5b17e79e2c9aa71be28fd3bf83e968805f1fc150

Download Submit
C:\ProgramData\oOYEgsEk\EuoIQQww.exe

Filesize
483KB

MD5
9f6c481d351db4e5550bcb6e9d1e1f2f

SHA1
d92597fb956daf8d7021e3dcdb6c6a76e7b17f0a

SHA256
032a2b8f5caf23602a534dbdcad26c9f60ffb999355c6146e9de431595f22e86

SHA512
cd395c35f98ea9849554f288ad45e034483bd2ef96961f070d6db18ace7d80ba27412b4e58a4e2cf2ae78ac2b7c6e7a4719fda9482b2393157044e20f5373dd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297

Filesize
14KB

MD5
95e4f607722d38d26861e8c23728ca59

SHA1
e32a8ee3ab78ab603f5358d86b8a777a9380b0f9

SHA256
a4573225d60fac391f388c2f163c59eb24da04c403573e47d204cd76b24e10dd

SHA512
1d3aef37922fe97b75bb65c8ec6ee28772609f535505a7f5b2841794e2dcd9882320700697163cd48efe70d6f2dbf44c17e94a6d1a406d97b65c9223bc28f68d

Download Submit
C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297

Filesize
14KB

MD5
95e4f607722d38d26861e8c23728ca59

SHA1
e32a8ee3ab78ab603f5358d86b8a777a9380b0f9

SHA256
a4573225d60fac391f388c2f163c59eb24da04c403573e47d204cd76b24e10dd

SHA512
1d3aef37922fe97b75bb65c8ec6ee28772609f535505a7f5b2841794e2dcd9882320700697163cd48efe70d6f2dbf44c17e94a6d1a406d97b65c9223bc28f68d

Download Submit
C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297

Filesize
14KB

MD5
95e4f607722d38d26861e8c23728ca59

SHA1
e32a8ee3ab78ab603f5358d86b8a777a9380b0f9

SHA256
a4573225d60fac391f388c2f163c59eb24da04c403573e47d204cd76b24e10dd

SHA512
1d3aef37922fe97b75bb65c8ec6ee28772609f535505a7f5b2841794e2dcd9882320700697163cd48efe70d6f2dbf44c17e94a6d1a406d97b65c9223bc28f68d

Download Submit
C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297

Filesize
14KB

MD5
95e4f607722d38d26861e8c23728ca59

SHA1
e32a8ee3ab78ab603f5358d86b8a777a9380b0f9

SHA256
a4573225d60fac391f388c2f163c59eb24da04c403573e47d204cd76b24e10dd

SHA512
1d3aef37922fe97b75bb65c8ec6ee28772609f535505a7f5b2841794e2dcd9882320700697163cd48efe70d6f2dbf44c17e94a6d1a406d97b65c9223bc28f68d

Download Submit
C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297

Filesize
14KB

MD5
95e4f607722d38d26861e8c23728ca59

SHA1
e32a8ee3ab78ab603f5358d86b8a777a9380b0f9

SHA256
a4573225d60fac391f388c2f163c59eb24da04c403573e47d204cd76b24e10dd

SHA512
1d3aef37922fe97b75bb65c8ec6ee28772609f535505a7f5b2841794e2dcd9882320700697163cd48efe70d6f2dbf44c17e94a6d1a406d97b65c9223bc28f68d

Download Submit
C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297

Filesize
14KB

MD5
95e4f607722d38d26861e8c23728ca59

SHA1
e32a8ee3ab78ab603f5358d86b8a777a9380b0f9

SHA256
a4573225d60fac391f388c2f163c59eb24da04c403573e47d204cd76b24e10dd

SHA512
1d3aef37922fe97b75bb65c8ec6ee28772609f535505a7f5b2841794e2dcd9882320700697163cd48efe70d6f2dbf44c17e94a6d1a406d97b65c9223bc28f68d

Download Submit
C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297

Filesize
14KB

MD5
95e4f607722d38d26861e8c23728ca59

SHA1
e32a8ee3ab78ab603f5358d86b8a777a9380b0f9

SHA256
a4573225d60fac391f388c2f163c59eb24da04c403573e47d204cd76b24e10dd

SHA512
1d3aef37922fe97b75bb65c8ec6ee28772609f535505a7f5b2841794e2dcd9882320700697163cd48efe70d6f2dbf44c17e94a6d1a406d97b65c9223bc28f68d

Download Submit
C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297

Filesize
14KB

MD5
95e4f607722d38d26861e8c23728ca59

SHA1
e32a8ee3ab78ab603f5358d86b8a777a9380b0f9

SHA256
a4573225d60fac391f388c2f163c59eb24da04c403573e47d204cd76b24e10dd

SHA512
1d3aef37922fe97b75bb65c8ec6ee28772609f535505a7f5b2841794e2dcd9882320700697163cd48efe70d6f2dbf44c17e94a6d1a406d97b65c9223bc28f68d

Download Submit
C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297

Filesize
14KB

MD5
95e4f607722d38d26861e8c23728ca59

SHA1
e32a8ee3ab78ab603f5358d86b8a777a9380b0f9

SHA256
a4573225d60fac391f388c2f163c59eb24da04c403573e47d204cd76b24e10dd

SHA512
1d3aef37922fe97b75bb65c8ec6ee28772609f535505a7f5b2841794e2dcd9882320700697163cd48efe70d6f2dbf44c17e94a6d1a406d97b65c9223bc28f68d

Download Submit
C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297

Filesize
14KB

MD5
95e4f607722d38d26861e8c23728ca59

SHA1
e32a8ee3ab78ab603f5358d86b8a777a9380b0f9

SHA256
a4573225d60fac391f388c2f163c59eb24da04c403573e47d204cd76b24e10dd

SHA512
1d3aef37922fe97b75bb65c8ec6ee28772609f535505a7f5b2841794e2dcd9882320700697163cd48efe70d6f2dbf44c17e94a6d1a406d97b65c9223bc28f68d

Download Submit
C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297

Filesize
14KB

MD5
95e4f607722d38d26861e8c23728ca59

SHA1
e32a8ee3ab78ab603f5358d86b8a777a9380b0f9

SHA256
a4573225d60fac391f388c2f163c59eb24da04c403573e47d204cd76b24e10dd

SHA512
1d3aef37922fe97b75bb65c8ec6ee28772609f535505a7f5b2841794e2dcd9882320700697163cd48efe70d6f2dbf44c17e94a6d1a406d97b65c9223bc28f68d

Download Submit
C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297

Filesize
14KB

MD5
95e4f607722d38d26861e8c23728ca59

SHA1
e32a8ee3ab78ab603f5358d86b8a777a9380b0f9

SHA256
a4573225d60fac391f388c2f163c59eb24da04c403573e47d204cd76b24e10dd

SHA512
1d3aef37922fe97b75bb65c8ec6ee28772609f535505a7f5b2841794e2dcd9882320700697163cd48efe70d6f2dbf44c17e94a6d1a406d97b65c9223bc28f68d

Download Submit
C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297

Filesize
14KB

MD5
95e4f607722d38d26861e8c23728ca59

SHA1
e32a8ee3ab78ab603f5358d86b8a777a9380b0f9

SHA256
a4573225d60fac391f388c2f163c59eb24da04c403573e47d204cd76b24e10dd

SHA512
1d3aef37922fe97b75bb65c8ec6ee28772609f535505a7f5b2841794e2dcd9882320700697163cd48efe70d6f2dbf44c17e94a6d1a406d97b65c9223bc28f68d

Download Submit
C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297

Filesize
14KB

MD5
95e4f607722d38d26861e8c23728ca59

SHA1
e32a8ee3ab78ab603f5358d86b8a777a9380b0f9

SHA256
a4573225d60fac391f388c2f163c59eb24da04c403573e47d204cd76b24e10dd

SHA512
1d3aef37922fe97b75bb65c8ec6ee28772609f535505a7f5b2841794e2dcd9882320700697163cd48efe70d6f2dbf44c17e94a6d1a406d97b65c9223bc28f68d

Download Submit
C:\Users\Admin\AppData\Local\Temp\49037200d617b69a161b94bed0c609f20e655ca896d695b7de4cc0a5a7236297

Filesize
14KB

MD5
95e4f607722d38d26861e8c23728ca59

SHA1
e32a8ee3ab78ab603f5358d86b8a777a9380b0f9

SHA256
a4573225d60fac391f388c2f163c59eb24da04c403573e47d204cd76b24e10dd

SHA512
1d3aef37922fe97b75bb65c8ec6ee28772609f535505a7f5b2841794e2dcd9882320700697163cd48efe70d6f2dbf44c17e94a6d1a406d97b65c9223bc28f68d

Download Submit
C:\Users\Admin\AppData\Local\Temp\BGsoIEUI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\CiAkcEoU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\OKAMwoEc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\OwAowUcc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\QWMEsYck.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\SGMwgckU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoIsAkMg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\byIwIwog.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gmsIEkks.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\hGgAogQw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\iWMMkQII.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\pYUgAwcA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\qiQYsYow.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\rAkIMEQA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\diMkgwUk\lUwocMUo.exe

Filesize
481KB

MD5
21398a882062abf44fe1678b709eda23

SHA1
3b91f3ca4d6a7dc80b85e3189fded0263075be12

SHA256
99c2d7dd5176db77054bac2e3133946353a6707b72b7403f22ba0f09682e7552

SHA512
c8793ef6a8e16e958cd75417e0b1e938ca60a075f92290d0e80ccb0ca7b349af3436037d823ff4e2d63c451bf73e5363bcdc63900d7bb21c01a899c689838e8d

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.0MB

MD5
4d92f518527353c0db88a70fddcfd390

SHA1
c4baffc19e7d1f0e0ebf73bab86a491c1d152f98

SHA256
97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c

SHA512
05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

Download Submit
\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.0MB

MD5
4d92f518527353c0db88a70fddcfd390

SHA1
c4baffc19e7d1f0e0ebf73bab86a491c1d152f98

SHA256
97e6f3fc1a9163f10b6502509d55bf75ee893967fb35f318954797e8ab4d4d9c

SHA512
05a8136ccc45ef73cd5c70ee0ef204d9d2b48b950e938494b6d1a61dfba37527c9600382321d1c031dc74e4cf3e16f001ae0f8cd64d76d765f5509ce8dc76452

Download Submit
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
818KB

MD5
a41e524f8d45f0074fd07805ff0c9b12

SHA1
948deacf95a60c3fdf17e0e4db1931a6f3fc5d38

SHA256
082329648337e5ba7377fed9d8a178809f37eecb8d795b93cca4ec07d8640ff7

SHA512
91bf4be7e82536a85a840dbc9f3ce7b7927d1cedf6391aac93989abae210620433e685b86a12d133a72369a4f8a665c46ac7fc9e8a806e2872d8b1514cbb305f

Download Submit
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
818KB

MD5
a41e524f8d45f0074fd07805ff0c9b12

SHA1
948deacf95a60c3fdf17e0e4db1931a6f3fc5d38

SHA256
082329648337e5ba7377fed9d8a178809f37eecb8d795b93cca4ec07d8640ff7

SHA512
91bf4be7e82536a85a840dbc9f3ce7b7927d1cedf6391aac93989abae210620433e685b86a12d133a72369a4f8a665c46ac7fc9e8a806e2872d8b1514cbb305f

Download Submit
\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
507KB

MD5
c87e561258f2f8650cef999bf643a731

SHA1
2c64b901284908e8ed59cf9c912f17d45b05e0af

SHA256
a1dfa6639bef3cb4e41175c43730d46a51393942ead826337ca9541ac210c67b

SHA512
dea4833aa712c5823f800f5f5a2adcf241c1b2b6747872f540f5ff9da6795c4ddb73db0912593337083c7c67b91e9eaf1b3d39a34b99980fd5904ba3d7d62f6c

Download Submit
\ProgramData\nCIYgAMU\MewEQosU.exe

Filesize
479KB

MD5
581c96f9ed3f5407c7798177a135689c

SHA1
104c2bfe5e32bab627d3426f33566d686efe7e00

SHA256
18e40a8f38c04717a8b27cb65e10eb3a3914d3279e07107af6cd304b3a886343

SHA512
e47466110ef64c846d16ef591ccb247d5fd0df8182969879b657782c374350a13f5552c0f58049d3fc420f6a5b17e79e2c9aa71be28fd3bf83e968805f1fc150

Download Submit
\ProgramData\nCIYgAMU\MewEQosU.exe

Filesize
479KB

MD5
581c96f9ed3f5407c7798177a135689c

SHA1
104c2bfe5e32bab627d3426f33566d686efe7e00

SHA256
18e40a8f38c04717a8b27cb65e10eb3a3914d3279e07107af6cd304b3a886343

SHA512
e47466110ef64c846d16ef591ccb247d5fd0df8182969879b657782c374350a13f5552c0f58049d3fc420f6a5b17e79e2c9aa71be28fd3bf83e968805f1fc150

Download Submit
\Users\Admin\diMkgwUk\lUwocMUo.exe

Filesize
481KB

MD5
21398a882062abf44fe1678b709eda23

SHA1
3b91f3ca4d6a7dc80b85e3189fded0263075be12

SHA256
99c2d7dd5176db77054bac2e3133946353a6707b72b7403f22ba0f09682e7552

SHA512
c8793ef6a8e16e958cd75417e0b1e938ca60a075f92290d0e80ccb0ca7b349af3436037d823ff4e2d63c451bf73e5363bcdc63900d7bb21c01a899c689838e8d

Download Submit
\Users\Admin\diMkgwUk\lUwocMUo.exe

Filesize
481KB

MD5
21398a882062abf44fe1678b709eda23

SHA1
3b91f3ca4d6a7dc80b85e3189fded0263075be12

SHA256
99c2d7dd5176db77054bac2e3133946353a6707b72b7403f22ba0f09682e7552

SHA512
c8793ef6a8e16e958cd75417e0b1e938ca60a075f92290d0e80ccb0ca7b349af3436037d823ff4e2d63c451bf73e5363bcdc63900d7bb21c01a899c689838e8d

Download Submit
memory/576-198-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/576-178-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/760-206-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/760-264-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/760-260-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/760-215-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/760-253-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/832-110-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/832-88-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/832-112-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1020-77-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1020-86-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1032-301-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1036-286-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1036-282-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1052-107-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1052-68-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1256-290-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1256-287-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1284-108-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1284-69-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1348-106-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1348-55-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1348-275-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1348-54-0x0000000075071000-0x0000000075073000-memory.dmp

Filesize
8KB

Download
memory/1436-141-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1436-179-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1436-185-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1436-125-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1436-295-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1436-294-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1472-209-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1472-207-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1520-298-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1520-293-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1540-272-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1540-268-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1592-127-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1592-105-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1604-217-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1604-223-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1688-169-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1688-150-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1692-283-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1692-281-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1708-156-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1708-151-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1744-242-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1744-247-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1744-274-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1744-278-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1796-261-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1796-257-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1796-263-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1820-230-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1820-227-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1832-245-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1832-254-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1964-259-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1964-269-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1964-262-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1976-238-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1976-234-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1984-70-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1984-109-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download