f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30

Analysis

max time kernel
151s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
30/10/2022, 02:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
Size

499KB
MD5

92e36d600ecae197c77bbf2f9f8bdd90
SHA1

9e3827bc8921af6f2c49883931b415fd546570c1
SHA256

f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30
SHA512

db228795357abf3f636b82133f6ce7e4a9c07808f3389a5de0b6c2f4d405a534db3a835324fbcdfd11cb53930038ab0a1bd0db203fbffc43ef799b5b909e8e10
SSDEEP

12288:QHeVNdfPk+wJbfaY/KdMr2cJNmMRkaYu6SMCMIKKugvkqY:QHednk+whn/iMfJ/kaySMCMIKQ8L

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\vaQkcAkw\\cysksIsY.exe,"	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\vaQkcAkw\\cysksIsY.exe,"	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
1048	dGcIEQkw.exe
4324	cysksIsY.exe
4136	cocEwcYE.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	dGcIEQkw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cysksIsY.exe = "C:\\ProgramData\\vaQkcAkw\\cysksIsY.exe"	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dGcIEQkw.exe = "C:\\Users\\Admin\\pQckYIIA\\dGcIEQkw.exe"	dGcIEQkw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cysksIsY.exe = "C:\\ProgramData\\vaQkcAkw\\cysksIsY.exe"	cysksIsY.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cysksIsY.exe = "C:\\ProgramData\\vaQkcAkw\\cysksIsY.exe"	cocEwcYE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dGcIEQkw.exe = "C:\\Users\\Admin\\pQckYIIA\\dGcIEQkw.exe"	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\pQckYIIA	cocEwcYE.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\pQckYIIA\dGcIEQkw	cocEwcYE.exe
File created	C:\Windows\SysWOW64\shell32.dll.exe	dGcIEQkw.exe
File opened for modification	C:\Windows\SysWOW64\sheBackupRead.pptx	dGcIEQkw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
2552	reg.exe
5072	reg.exe
3896	reg.exe
5104	reg.exe
4776	reg.exe
3656	reg.exe
4592	reg.exe
1940	reg.exe
3080	reg.exe
5064	reg.exe
4000	reg.exe
3356	reg.exe
4420	reg.exe
1976	reg.exe
4264	reg.exe
2700	reg.exe
3008	reg.exe
3584	reg.exe
204	reg.exe
2776	reg.exe
3484	reg.exe
364	reg.exe
476	reg.exe
4792	reg.exe
2704	reg.exe
2024	reg.exe
1372	reg.exe
2744	reg.exe
624	reg.exe
4724	reg.exe
4576	reg.exe
1040	reg.exe
2656	reg.exe
4220	reg.exe
3872	reg.exe
3912	reg.exe
2284	reg.exe
1184	reg.exe
1604	reg.exe
2412	reg.exe
1264	reg.exe
4788	reg.exe
1884	reg.exe
3644	reg.exe
3988	reg.exe
3208	reg.exe
1308	reg.exe
1968	reg.exe
4560	reg.exe
4648	reg.exe
1428	reg.exe
3396	reg.exe
2280	reg.exe
228	reg.exe
1968	reg.exe
4504	reg.exe
2396	reg.exe
4272	reg.exe
1200	reg.exe
1036	reg.exe
2836	reg.exe
4496	reg.exe
544	reg.exe
4244	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4896	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
4896	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
4896	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
4896	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
2612	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
2612	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
2612	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
2612	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
3608	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
3608	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
3608	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
3608	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
404	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
404	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
404	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
404	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
2808	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
2808	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
2808	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
2808	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
2972	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
2972	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
2972	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
2972	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
3172	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
3172	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
3172	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
3172	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
3116	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
3116	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
3116	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
3116	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
3444	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
3444	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
3444	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
3444	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
4448	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
4448	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
4448	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
4448	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
1832	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
1832	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
1832	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
1832	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
3628	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
3628	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
3628	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
3628	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
3608	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
3608	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
3608	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
3608	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
2232	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
2232	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
2232	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
2232	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
4456	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
4456	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
4456	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
4456	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
364	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
364	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
364	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
364	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1048	dGcIEQkw.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1048	dGcIEQkw.exe
1048	dGcIEQkw.exe
1048	dGcIEQkw.exe
1048	dGcIEQkw.exe
1048	dGcIEQkw.exe
1048	dGcIEQkw.exe
1048	dGcIEQkw.exe
1048	dGcIEQkw.exe
1048	dGcIEQkw.exe
1048	dGcIEQkw.exe
1048	dGcIEQkw.exe
1048	dGcIEQkw.exe
1048	dGcIEQkw.exe
1048	dGcIEQkw.exe
1048	dGcIEQkw.exe
1048	dGcIEQkw.exe
1048	dGcIEQkw.exe
1048	dGcIEQkw.exe
1048	dGcIEQkw.exe
1048	dGcIEQkw.exe
1048	dGcIEQkw.exe
1048	dGcIEQkw.exe
1048	dGcIEQkw.exe
1048	dGcIEQkw.exe
1048	dGcIEQkw.exe
1048	dGcIEQkw.exe
1048	dGcIEQkw.exe
1048	dGcIEQkw.exe
1048	dGcIEQkw.exe
1048	dGcIEQkw.exe
1048	dGcIEQkw.exe
1048	dGcIEQkw.exe
1048	dGcIEQkw.exe
1048	dGcIEQkw.exe
1048	dGcIEQkw.exe
1048	dGcIEQkw.exe
1048	dGcIEQkw.exe
1048	dGcIEQkw.exe
1048	dGcIEQkw.exe
1048	dGcIEQkw.exe
1048	dGcIEQkw.exe
1048	dGcIEQkw.exe
1048	dGcIEQkw.exe
1048	dGcIEQkw.exe
1048	dGcIEQkw.exe
1048	dGcIEQkw.exe
1048	dGcIEQkw.exe
1048	dGcIEQkw.exe
1048	dGcIEQkw.exe
1048	dGcIEQkw.exe
1048	dGcIEQkw.exe
1048	dGcIEQkw.exe
1048	dGcIEQkw.exe
1048	dGcIEQkw.exe
1048	dGcIEQkw.exe
1048	dGcIEQkw.exe
1048	dGcIEQkw.exe
1048	dGcIEQkw.exe
1048	dGcIEQkw.exe
1048	dGcIEQkw.exe
1048	dGcIEQkw.exe
1048	dGcIEQkw.exe
1048	dGcIEQkw.exe
1048	dGcIEQkw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4896 wrote to memory of 1048	4896	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe	84
PID 4896 wrote to memory of 1048	4896	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe	84
PID 4896 wrote to memory of 1048	4896	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe	84
PID 4896 wrote to memory of 4324	4896	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe	85
PID 4896 wrote to memory of 4324	4896	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe	85
PID 4896 wrote to memory of 4324	4896	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe	85
PID 4896 wrote to memory of 1080	4896	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe	87
PID 4896 wrote to memory of 1080	4896	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe	87
PID 4896 wrote to memory of 1080	4896	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe	87
PID 4896 wrote to memory of 2780	4896	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe	89
PID 4896 wrote to memory of 2780	4896	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe	89
PID 4896 wrote to memory of 2780	4896	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe	89
PID 4896 wrote to memory of 3628	4896	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe	91
PID 4896 wrote to memory of 3628	4896	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe	91
PID 4896 wrote to memory of 3628	4896	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe	91
PID 4896 wrote to memory of 3624	4896	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe	94
PID 4896 wrote to memory of 3624	4896	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe	94
PID 4896 wrote to memory of 3624	4896	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe	94
PID 1080 wrote to memory of 2612	1080	cmd.exe	93
PID 1080 wrote to memory of 2612	1080	cmd.exe	93
PID 1080 wrote to memory of 2612	1080	cmd.exe	93
PID 2612 wrote to memory of 4648	2612	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe	96
PID 2612 wrote to memory of 4648	2612	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe	96
PID 2612 wrote to memory of 4648	2612	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe	96
PID 2612 wrote to memory of 4420	2612	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe	98
PID 2612 wrote to memory of 4420	2612	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe	98
PID 2612 wrote to memory of 4420	2612	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe	98
PID 4648 wrote to memory of 3608	4648	cmd.exe	99
PID 4648 wrote to memory of 3608	4648	cmd.exe	99
PID 4648 wrote to memory of 3608	4648	cmd.exe	99
PID 2612 wrote to memory of 2140	2612	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe	101
PID 2612 wrote to memory of 2140	2612	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe	101
PID 2612 wrote to memory of 2140	2612	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe	101
PID 2612 wrote to memory of 2200	2612	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe	103
PID 2612 wrote to memory of 2200	2612	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe	103
PID 2612 wrote to memory of 2200	2612	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe	103
PID 2612 wrote to memory of 2496	2612	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe	104
PID 2612 wrote to memory of 2496	2612	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe	104
PID 2612 wrote to memory of 2496	2612	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe	104
PID 3608 wrote to memory of 4280	3608	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe	107
PID 3608 wrote to memory of 4280	3608	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe	107
PID 3608 wrote to memory of 4280	3608	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe	107
PID 3608 wrote to memory of 3436	3608	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe	109
PID 3608 wrote to memory of 3436	3608	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe	109
PID 3608 wrote to memory of 3436	3608	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe	109
PID 3608 wrote to memory of 5052	3608	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe	110
PID 3608 wrote to memory of 5052	3608	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe	110
PID 3608 wrote to memory of 5052	3608	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe	110
PID 3608 wrote to memory of 3584	3608	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe	111
PID 3608 wrote to memory of 3584	3608	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe	111
PID 3608 wrote to memory of 3584	3608	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe	111
PID 3608 wrote to memory of 4908	3608	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe	114
PID 3608 wrote to memory of 4908	3608	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe	114
PID 3608 wrote to memory of 4908	3608	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe	114
PID 4280 wrote to memory of 404	4280	cmd.exe	117
PID 4280 wrote to memory of 404	4280	cmd.exe	117
PID 4280 wrote to memory of 404	4280	cmd.exe	117
PID 4908 wrote to memory of 2232	4908	cmd.exe	118
PID 4908 wrote to memory of 2232	4908	cmd.exe	118
PID 4908 wrote to memory of 2232	4908	cmd.exe	118
PID 2496 wrote to memory of 3444	2496	cmd.exe	119
PID 2496 wrote to memory of 3444	2496	cmd.exe	119
PID 2496 wrote to memory of 3444	2496	cmd.exe	119
PID 404 wrote to memory of 2552	404	f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe	120

C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
"C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4896
- C:\Users\Admin\pQckYIIA\dGcIEQkw.exe
  "C:\Users\Admin\pQckYIIA\dGcIEQkw.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:1048
- C:\ProgramData\vaQkcAkw\cysksIsY.exe
  "C:\ProgramData\vaQkcAkw\cysksIsY.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4324
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1080
- - C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
    C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4648
    - - C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3608
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30"
        8⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30"
        10⤵
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30"
        12⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30"
        14⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30"
        16⤵
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30"
        18⤵
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30"
        20⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30"
        22⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30"
        24⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30"
        26⤵
        
        PID:3816
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30"
        28⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30"
        30⤵
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30"
        32⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30
        33⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30"
        34⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30
        35⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30"
        36⤵
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30
        37⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30"
        38⤵
        
        PID:3372
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30
        39⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30"
        40⤵
        
        PID:4256
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30
        41⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30"
        42⤵
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30
        43⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30"
        44⤵
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30
        45⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30"
        46⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30
        47⤵
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30"
        48⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30
        49⤵
        
        PID:476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30"
        50⤵
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30
        51⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30"
        52⤵
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30
        53⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30"
        54⤵
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30
        55⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30"
        56⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30
        57⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30"
        58⤵
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30
        59⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30"
        60⤵
        
        PID:1420
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30
        61⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30"
        62⤵
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30
        63⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30"
        64⤵
        
        PID:4068
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30
        65⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30"
        66⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30
        67⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30"
        68⤵
        
        PID:3184
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30
        69⤵
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30"
        70⤵
        
        PID:3336
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30
        71⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30"
        72⤵
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30
        73⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30"
        74⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30
        75⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30"
        76⤵
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30
        77⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30"
        78⤵
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30
        79⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30"
        80⤵
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30
        81⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30"
        82⤵
        
        PID:3896
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30
        83⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30"
        84⤵
        
        PID:3576
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30
        85⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30"
        86⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30
        87⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30"
        88⤵
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30
        89⤵
        
        PID:476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30"
        90⤵
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30
        91⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30"
        92⤵
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30
        93⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30"
        94⤵
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30
        95⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30"
        96⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30
        97⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30"
        98⤵
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30
        99⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30"
        100⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30
        101⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30"
        102⤵
        
        PID:4448
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30
        103⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30"
        104⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30
        105⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30"
        106⤵
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30
        107⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30"
        108⤵
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30
        109⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30"
        110⤵
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30
        111⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30"
        112⤵
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30
        113⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30"
        114⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30
        115⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30"
        116⤵
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30
        117⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30"
        118⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30
        119⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30"
        120⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30
        121⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30"
        122⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30
        123⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30"
        124⤵
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30
        125⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30"
        126⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30
        127⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30"
        128⤵
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30
        129⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30"
        130⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30
        131⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30"
        132⤵
        
        PID:3628
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30
        133⤵
        
        PID:444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30"
        134⤵
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30
        135⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30"
        136⤵
        
        PID:3916
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30
        137⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30"
        138⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30
        139⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30"
        140⤵
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30
        141⤵
        
        PID:908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30"
        142⤵
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe
        
        C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30
        143⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vIksscso.bat" "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe""
        142⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        UAC bypass
        
        PID:2300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        Modifies registry key
        
        PID:624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LmssgMco.bat" "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe""
        140⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        UAC bypass
        Modifies registry key
        
        PID:1184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\luQkQMcs.bat" "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe""
        138⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        UAC bypass
        
        PID:4292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        
        PID:204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        Modifies registry key
        
        PID:2744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        UAC bypass
        Modifies registry key
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EkwIwwAk.bat" "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe""
        136⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SUgMIsIk.bat" "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe""
        134⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        UAC bypass
        
        PID:1084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        Modifies registry key
        
        PID:3872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EaIksYkU.bat" "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe""
        132⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        Modifies registry key
        
        PID:3008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YYMMksQo.bat" "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe""
        130⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        UAC bypass
        
        PID:2412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        Modifies registry key
        
        PID:3988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        Modifies registry key
        
        PID:4788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DqQIkoIg.bat" "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe""
        128⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nIEscMIQ.bat" "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe""
        126⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        
        PID:4360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FqswYkwk.bat" "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe""
        124⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        
        PID:684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hCQUgsYw.bat" "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe""
        122⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        
        PID:4672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rQUYoUwU.bat" "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe""
        120⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        
        PID:4820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        
        PID:1076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MqEgAAsk.bat" "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe""
        118⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uKUUkIoA.bat" "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe""
        116⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        
        PID:3096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yykkgUQs.bat" "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe""
        114⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        
        PID:4984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        Modifies registry key
        
        PID:364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WsoEoUMk.bat" "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe""
        112⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        Modifies registry key
        
        PID:3644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GMMUMYUM.bat" "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe""
        110⤵
        
        PID:628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FaUgYQgE.bat" "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe""
        108⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        
        PID:1920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        Modifies registry key
        
        PID:4776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        Modifies registry key
        
        PID:1264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        Modifies registry key
        
        PID:4592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XssgsQoc.bat" "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe""
        106⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TUAUIMMc.bat" "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe""
        104⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        UAC bypass
        
        PID:1796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        Modifies registry key
        
        PID:1036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FaoEYogs.bat" "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe""
        102⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        Modifies registry key
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DEcIkEIA.bat" "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe""
        100⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        Modifies registry key
        
        PID:4220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cagUgsQs.bat" "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe""
        98⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        Modifies registry key
        
        PID:1372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UOUAUIQw.bat" "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe""
        96⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        Modifies registry key
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gIoYgcUk.bat" "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe""
        94⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        Modifies registry key
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        Modifies registry key
        
        PID:2836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KOgUMcAc.bat" "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe""
        92⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        Modifies registry key
        
        PID:4272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        Modifies registry key
        
        PID:1308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bqIAEccc.bat" "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe""
        90⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BSokkQwc.bat" "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe""
        88⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        
        PID:3688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rAccEUsw.bat" "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe""
        86⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        
        PID:5108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        Modifies registry key
        
        PID:5104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        Modifies registry key
        
        PID:3356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HyAccMws.bat" "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe""
        84⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KYgMQosg.bat" "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe""
        82⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        
        PID:3396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:5096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oMYYQEso.bat" "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe""
        80⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SsMAAwUY.bat" "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe""
        78⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        Modifies registry key
        
        PID:4244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yOEIIQcQ.bat" "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe""
        76⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        Modifies registry key
        
        PID:1040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        
        PID:116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        Modifies registry key
        
        PID:204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sGokQMcs.bat" "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe""
        74⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        
        PID:4784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:4368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hCYgQcsc.bat" "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe""
        72⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:4404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lKogkAkw.bat" "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe""
        70⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tKwoUQYU.bat" "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe""
        68⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        Modifies registry key
        
        PID:1884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kGwksEIc.bat" "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe""
        66⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        
        PID:3848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xOQIEUoE.bat" "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe""
        64⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VocYsAko.bat" "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe""
        62⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:3364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        Modifies registry key
        
        PID:3484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vQAAYwAY.bat" "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe""
        60⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:3668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        Modifies registry key
        
        PID:228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yqYEkwUg.bat" "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe""
        58⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        
        PID:4900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        Modifies registry key
        
        PID:4000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gWkIMwII.bat" "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe""
        56⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AmcAwsMc.bat" "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe""
        54⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        Modifies registry key
        
        PID:3912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DUwYQsIM.bat" "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe""
        52⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rOUQUgYI.bat" "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe""
        50⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        
        PID:3224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        Modifies registry key
        
        PID:4576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hgkEwIAU.bat" "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe""
        48⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:3096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cygsYEYM.bat" "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe""
        46⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        Modifies registry key
        
        PID:4648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KuMUoccg.bat" "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe""
        44⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:5044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        Modifies registry key
        
        PID:2024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qSUswcwc.bat" "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe""
        42⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        Modifies registry key
        
        PID:2776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IeMcQEYk.bat" "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe""
        40⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:3696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tugcUIEQ.bat" "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe""
        38⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        Modifies registry key
        
        PID:2396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oqYwkgUE.bat" "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe""
        36⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        
        PID:3604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        Modifies registry key
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DYswwkQM.bat" "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe""
        34⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TSIwMMgQ.bat" "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe""
        32⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        Modifies registry key
        
        PID:2552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OyYQQUYM.bat" "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe""
        30⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        Modifies registry key
        
        PID:4504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wyEMkAIw.bat" "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe""
        28⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        Modifies registry key
        
        PID:1200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies registry key
        
        PID:4496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fAgoQcEw.bat" "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe""
        26⤵
        
        PID:408
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hgIwoYwA.bat" "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe""
        24⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sAUAQEwo.bat" "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe""
        22⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:2972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        Modifies registry key
        
        PID:2704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zCsgkkIg.bat" "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe""
        20⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        
        PID:3924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mIUEAsoQ.bat" "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe""
        18⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        Modifies registry key
        
        PID:4724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uUsQcYAI.bat" "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe""
        16⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        Modifies registry key
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NQUsUgos.bat" "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe""
        14⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LsIMgUcc.bat" "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe""
        12⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:2056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QOkAoccI.bat" "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe""
        10⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rcIMIMYw.bat" "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe""
        8⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        Modifies registry key
        
        PID:1976
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3436
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:5052
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        Modifies registry key
        
        PID:3584
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lYcEAUAQ.bat" "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe""
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:2232
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies registry key
      PID:4420
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2140
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:2200
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\neUwAkkI.bat" "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2496
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:3444
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2780
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3628
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:3624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KEQEswgc.bat" "C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30.exe""
  2⤵
  PID:1428
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:624

C:\ProgramData\uCUYoUcE\cocEwcYE.exe
C:\ProgramData\uCUYoUcE\cocEwcYE.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:4136

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\uCUYoUcE\cocEwcYE.exe

Filesize
478KB

MD5
abaa02ca61090c98144be23812ad6f00

SHA1
d9831e8229f6b63016d7f1b5c9d56f5545392937

SHA256
9d93a723589a60190077b832fe706af3680f46791fccaea55c92b3472a93510c

SHA512
58d7ede913d1b993983a9e38626c27b7003c0a8a1fdbf144e253987ac5237d2209960fbf55f00d9739acacd53b2f9b1903c1e3cbb0e6879ee69e421e6b118c34

Download Submit
C:\ProgramData\uCUYoUcE\cocEwcYE.exe

Filesize
478KB

MD5
abaa02ca61090c98144be23812ad6f00

SHA1
d9831e8229f6b63016d7f1b5c9d56f5545392937

SHA256
9d93a723589a60190077b832fe706af3680f46791fccaea55c92b3472a93510c

SHA512
58d7ede913d1b993983a9e38626c27b7003c0a8a1fdbf144e253987ac5237d2209960fbf55f00d9739acacd53b2f9b1903c1e3cbb0e6879ee69e421e6b118c34

Download Submit
C:\ProgramData\vaQkcAkw\cysksIsY.exe

Filesize
483KB

MD5
86f09475a0461df1d9c4f577e570e3c4

SHA1
2e1b9f9f2fe2e1c485f6ba6dbcd6982134d3399e

SHA256
7c9e1624bca4b8057b663c95e64afcd750065eee504ed8967373258eba35fd5f

SHA512
e48ceec786e5d6d5c385c7a17f1174b5b211d4446bb0b7163b3059292636b50f579d84d6b2da48962a5ce3b6278c1e31a3b260b40a427675bae31f87ee8f03eb

Download Submit
C:\ProgramData\vaQkcAkw\cysksIsY.exe

Filesize
483KB

MD5
86f09475a0461df1d9c4f577e570e3c4

SHA1
2e1b9f9f2fe2e1c485f6ba6dbcd6982134d3399e

SHA256
7c9e1624bca4b8057b663c95e64afcd750065eee504ed8967373258eba35fd5f

SHA512
e48ceec786e5d6d5c385c7a17f1174b5b211d4446bb0b7163b3059292636b50f579d84d6b2da48962a5ce3b6278c1e31a3b260b40a427675bae31f87ee8f03eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DYswwkQM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\IeMcQEYk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\LsIMgUcc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\NQUsUgos.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\OyYQQUYM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\QOkAoccI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\TSIwMMgQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30

Filesize
6KB

MD5
2cfa6796fc3ef55c4c52c89ffee69a01

SHA1
27f7ec659a880adc68377806cfed8a19a83d7a19

SHA256
01d3f4fcf587946f892683a96fe4417b877cf8e6ff40ec63c769d5133364d5cd

SHA512
68b90ed4f4bcccb864a60e89489b6a11812c229e3b04b4ee526f4f0a0ed434883b1ed0d241e7098143b172795761fc6e0af1ae07155abb7c9ca24c3d979cd610

Download Submit
C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30

Filesize
6KB

MD5
2cfa6796fc3ef55c4c52c89ffee69a01

SHA1
27f7ec659a880adc68377806cfed8a19a83d7a19

SHA256
01d3f4fcf587946f892683a96fe4417b877cf8e6ff40ec63c769d5133364d5cd

SHA512
68b90ed4f4bcccb864a60e89489b6a11812c229e3b04b4ee526f4f0a0ed434883b1ed0d241e7098143b172795761fc6e0af1ae07155abb7c9ca24c3d979cd610

Download Submit
C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30

Filesize
6KB

MD5
2cfa6796fc3ef55c4c52c89ffee69a01

SHA1
27f7ec659a880adc68377806cfed8a19a83d7a19

SHA256
01d3f4fcf587946f892683a96fe4417b877cf8e6ff40ec63c769d5133364d5cd

SHA512
68b90ed4f4bcccb864a60e89489b6a11812c229e3b04b4ee526f4f0a0ed434883b1ed0d241e7098143b172795761fc6e0af1ae07155abb7c9ca24c3d979cd610

Download Submit
C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30

Filesize
6KB

MD5
2cfa6796fc3ef55c4c52c89ffee69a01

SHA1
27f7ec659a880adc68377806cfed8a19a83d7a19

SHA256
01d3f4fcf587946f892683a96fe4417b877cf8e6ff40ec63c769d5133364d5cd

SHA512
68b90ed4f4bcccb864a60e89489b6a11812c229e3b04b4ee526f4f0a0ed434883b1ed0d241e7098143b172795761fc6e0af1ae07155abb7c9ca24c3d979cd610

Download Submit
C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30

Filesize
6KB

MD5
2cfa6796fc3ef55c4c52c89ffee69a01

SHA1
27f7ec659a880adc68377806cfed8a19a83d7a19

SHA256
01d3f4fcf587946f892683a96fe4417b877cf8e6ff40ec63c769d5133364d5cd

SHA512
68b90ed4f4bcccb864a60e89489b6a11812c229e3b04b4ee526f4f0a0ed434883b1ed0d241e7098143b172795761fc6e0af1ae07155abb7c9ca24c3d979cd610

Download Submit
C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30

Filesize
6KB

MD5
2cfa6796fc3ef55c4c52c89ffee69a01

SHA1
27f7ec659a880adc68377806cfed8a19a83d7a19

SHA256
01d3f4fcf587946f892683a96fe4417b877cf8e6ff40ec63c769d5133364d5cd

SHA512
68b90ed4f4bcccb864a60e89489b6a11812c229e3b04b4ee526f4f0a0ed434883b1ed0d241e7098143b172795761fc6e0af1ae07155abb7c9ca24c3d979cd610

Download Submit
C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30

Filesize
6KB

MD5
2cfa6796fc3ef55c4c52c89ffee69a01

SHA1
27f7ec659a880adc68377806cfed8a19a83d7a19

SHA256
01d3f4fcf587946f892683a96fe4417b877cf8e6ff40ec63c769d5133364d5cd

SHA512
68b90ed4f4bcccb864a60e89489b6a11812c229e3b04b4ee526f4f0a0ed434883b1ed0d241e7098143b172795761fc6e0af1ae07155abb7c9ca24c3d979cd610

Download Submit
C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30

Filesize
6KB

MD5
2cfa6796fc3ef55c4c52c89ffee69a01

SHA1
27f7ec659a880adc68377806cfed8a19a83d7a19

SHA256
01d3f4fcf587946f892683a96fe4417b877cf8e6ff40ec63c769d5133364d5cd

SHA512
68b90ed4f4bcccb864a60e89489b6a11812c229e3b04b4ee526f4f0a0ed434883b1ed0d241e7098143b172795761fc6e0af1ae07155abb7c9ca24c3d979cd610

Download Submit
C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30

Filesize
6KB

MD5
2cfa6796fc3ef55c4c52c89ffee69a01

SHA1
27f7ec659a880adc68377806cfed8a19a83d7a19

SHA256
01d3f4fcf587946f892683a96fe4417b877cf8e6ff40ec63c769d5133364d5cd

SHA512
68b90ed4f4bcccb864a60e89489b6a11812c229e3b04b4ee526f4f0a0ed434883b1ed0d241e7098143b172795761fc6e0af1ae07155abb7c9ca24c3d979cd610

Download Submit
C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30

Filesize
6KB

MD5
2cfa6796fc3ef55c4c52c89ffee69a01

SHA1
27f7ec659a880adc68377806cfed8a19a83d7a19

SHA256
01d3f4fcf587946f892683a96fe4417b877cf8e6ff40ec63c769d5133364d5cd

SHA512
68b90ed4f4bcccb864a60e89489b6a11812c229e3b04b4ee526f4f0a0ed434883b1ed0d241e7098143b172795761fc6e0af1ae07155abb7c9ca24c3d979cd610

Download Submit
C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30

Filesize
6KB

MD5
2cfa6796fc3ef55c4c52c89ffee69a01

SHA1
27f7ec659a880adc68377806cfed8a19a83d7a19

SHA256
01d3f4fcf587946f892683a96fe4417b877cf8e6ff40ec63c769d5133364d5cd

SHA512
68b90ed4f4bcccb864a60e89489b6a11812c229e3b04b4ee526f4f0a0ed434883b1ed0d241e7098143b172795761fc6e0af1ae07155abb7c9ca24c3d979cd610

Download Submit
C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30

Filesize
6KB

MD5
2cfa6796fc3ef55c4c52c89ffee69a01

SHA1
27f7ec659a880adc68377806cfed8a19a83d7a19

SHA256
01d3f4fcf587946f892683a96fe4417b877cf8e6ff40ec63c769d5133364d5cd

SHA512
68b90ed4f4bcccb864a60e89489b6a11812c229e3b04b4ee526f4f0a0ed434883b1ed0d241e7098143b172795761fc6e0af1ae07155abb7c9ca24c3d979cd610

Download Submit
C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30

Filesize
6KB

MD5
2cfa6796fc3ef55c4c52c89ffee69a01

SHA1
27f7ec659a880adc68377806cfed8a19a83d7a19

SHA256
01d3f4fcf587946f892683a96fe4417b877cf8e6ff40ec63c769d5133364d5cd

SHA512
68b90ed4f4bcccb864a60e89489b6a11812c229e3b04b4ee526f4f0a0ed434883b1ed0d241e7098143b172795761fc6e0af1ae07155abb7c9ca24c3d979cd610

Download Submit
C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30

Filesize
6KB

MD5
2cfa6796fc3ef55c4c52c89ffee69a01

SHA1
27f7ec659a880adc68377806cfed8a19a83d7a19

SHA256
01d3f4fcf587946f892683a96fe4417b877cf8e6ff40ec63c769d5133364d5cd

SHA512
68b90ed4f4bcccb864a60e89489b6a11812c229e3b04b4ee526f4f0a0ed434883b1ed0d241e7098143b172795761fc6e0af1ae07155abb7c9ca24c3d979cd610

Download Submit
C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30

Filesize
6KB

MD5
2cfa6796fc3ef55c4c52c89ffee69a01

SHA1
27f7ec659a880adc68377806cfed8a19a83d7a19

SHA256
01d3f4fcf587946f892683a96fe4417b877cf8e6ff40ec63c769d5133364d5cd

SHA512
68b90ed4f4bcccb864a60e89489b6a11812c229e3b04b4ee526f4f0a0ed434883b1ed0d241e7098143b172795761fc6e0af1ae07155abb7c9ca24c3d979cd610

Download Submit
C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30

Filesize
6KB

MD5
2cfa6796fc3ef55c4c52c89ffee69a01

SHA1
27f7ec659a880adc68377806cfed8a19a83d7a19

SHA256
01d3f4fcf587946f892683a96fe4417b877cf8e6ff40ec63c769d5133364d5cd

SHA512
68b90ed4f4bcccb864a60e89489b6a11812c229e3b04b4ee526f4f0a0ed434883b1ed0d241e7098143b172795761fc6e0af1ae07155abb7c9ca24c3d979cd610

Download Submit
C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30

Filesize
6KB

MD5
2cfa6796fc3ef55c4c52c89ffee69a01

SHA1
27f7ec659a880adc68377806cfed8a19a83d7a19

SHA256
01d3f4fcf587946f892683a96fe4417b877cf8e6ff40ec63c769d5133364d5cd

SHA512
68b90ed4f4bcccb864a60e89489b6a11812c229e3b04b4ee526f4f0a0ed434883b1ed0d241e7098143b172795761fc6e0af1ae07155abb7c9ca24c3d979cd610

Download Submit
C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30

Filesize
6KB

MD5
2cfa6796fc3ef55c4c52c89ffee69a01

SHA1
27f7ec659a880adc68377806cfed8a19a83d7a19

SHA256
01d3f4fcf587946f892683a96fe4417b877cf8e6ff40ec63c769d5133364d5cd

SHA512
68b90ed4f4bcccb864a60e89489b6a11812c229e3b04b4ee526f4f0a0ed434883b1ed0d241e7098143b172795761fc6e0af1ae07155abb7c9ca24c3d979cd610

Download Submit
C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30

Filesize
6KB

MD5
2cfa6796fc3ef55c4c52c89ffee69a01

SHA1
27f7ec659a880adc68377806cfed8a19a83d7a19

SHA256
01d3f4fcf587946f892683a96fe4417b877cf8e6ff40ec63c769d5133364d5cd

SHA512
68b90ed4f4bcccb864a60e89489b6a11812c229e3b04b4ee526f4f0a0ed434883b1ed0d241e7098143b172795761fc6e0af1ae07155abb7c9ca24c3d979cd610

Download Submit
C:\Users\Admin\AppData\Local\Temp\f19775c320e51fe1f9d4bfbee4c1ae2bd949c65ddf7588f406cefe9ad3dbfc30

Filesize
6KB

MD5
2cfa6796fc3ef55c4c52c89ffee69a01

SHA1
27f7ec659a880adc68377806cfed8a19a83d7a19

SHA256
01d3f4fcf587946f892683a96fe4417b877cf8e6ff40ec63c769d5133364d5cd

SHA512
68b90ed4f4bcccb864a60e89489b6a11812c229e3b04b4ee526f4f0a0ed434883b1ed0d241e7098143b172795761fc6e0af1ae07155abb7c9ca24c3d979cd610

Download Submit
C:\Users\Admin\AppData\Local\Temp\fAgoQcEw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\hgIwoYwA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\lYcEAUAQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIUEAsoQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\neUwAkkI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\oqYwkgUE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\rcIMIMYw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\sAUAQEwo.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\tugcUIEQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\uUsQcYAI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\wyEMkAIw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCsgkkIg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\pQckYIIA\dGcIEQkw.exe

Filesize
483KB

MD5
5e8f14de98a44194b54f00cfec4c08d7

SHA1
24c7233616bc22ed876abca8c643f628bda373df

SHA256
ae55cf81321fbca5af511b96197abd2309de40796a654ab558182f9038092961

SHA512
77fc9ae72486c932f4c2df1d0b19537890fac1bc40b4263ad3b85851a2ee63809e15eac9de631d36a2c7c355dea4dbed0a54aaca52e15d3013aaa84f3a061d2a

Download Submit
C:\Users\Admin\pQckYIIA\dGcIEQkw.exe

Filesize
483KB

MD5
5e8f14de98a44194b54f00cfec4c08d7

SHA1
24c7233616bc22ed876abca8c643f628bda373df

SHA256
ae55cf81321fbca5af511b96197abd2309de40796a654ab558182f9038092961

SHA512
77fc9ae72486c932f4c2df1d0b19537890fac1bc40b4263ad3b85851a2ee63809e15eac9de631d36a2c7c355dea4dbed0a54aaca52e15d3013aaa84f3a061d2a

Download Submit
memory/364-274-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/404-179-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/404-175-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/476-301-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/476-302-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/624-300-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/868-316-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/868-317-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1048-141-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1048-245-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1228-304-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1832-248-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1832-251-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2232-267-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2232-266-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2240-306-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2240-305-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2340-283-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2424-323-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2424-322-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2612-156-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2728-292-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2808-185-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2808-191-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2972-202-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3116-224-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3172-213-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3444-235-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3464-310-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3608-262-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3608-260-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3608-164-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3608-159-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3628-257-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3628-255-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3768-298-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3768-297-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4000-313-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4004-309-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4004-284-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4004-308-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4004-287-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4124-318-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4124-319-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4136-143-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4136-247-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4280-321-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4324-142-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4324-246-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4436-320-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4448-244-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4448-241-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4456-271-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4524-279-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4580-303-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4580-311-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4604-315-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4604-314-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4672-296-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4712-312-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4796-299-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4896-307-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4896-240-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4896-132-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download