ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
06/11/2022, 19:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
Size

477KB
MD5

0f7e341af71c96b0c2cc3099b69219d0
SHA1

981e5189b1ec0b10fd03b8a248ccda9ac3e2f2fd
SHA256

ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3
SHA512

53a19e4a848a52a232ef7ed5402d90819902dea1e66a58bb8e9d55a9ae1ae0968858788f02bfeafc06bd14a18958aee4571e2c5504c264e5f15c2996d8d0dc97
SSDEEP

12288:ZwQmLBIl9rJndyioSVJkpS5X7NVAEPwEPE1z/uvC/uuh/u8Y+gKr+6/u2mC9eBw4:uMMioSqmX7NVAEPwEPE1z/uvC/uuh/uB

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 49 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 48 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
2160	SEAkYYQA.exe
4208	xacIkoAs.exe
5012	HKowMYsk.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	xacIkoAs.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KMsYMMsk.exe = "C:\\Users\\Admin\\bGQIYkgg\\KMsYMMsk.exe"	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dAQMMwcU.exe = "C:\\ProgramData\\kCwEsIQk\\dAQMMwcU.exe"	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SEAkYYQA.exe = "C:\\Users\\Admin\\vsYssEQI\\SEAkYYQA.exe"	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SEAkYYQA.exe = "C:\\Users\\Admin\\vsYssEQI\\SEAkYYQA.exe"	SEAkYYQA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xacIkoAs.exe = "C:\\ProgramData\\FCUUEcgI\\xacIkoAs.exe"	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xacIkoAs.exe = "C:\\ProgramData\\FCUUEcgI\\xacIkoAs.exe"	xacIkoAs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xacIkoAs.exe = "C:\\ProgramData\\FCUUEcgI\\xacIkoAs.exe"	HKowMYsk.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\vsYssEQI\SEAkYYQA	HKowMYsk.exe
File created	C:\Windows\SysWOW64\shell32.dll.exe	xacIkoAs.exe
File opened for modification	C:\Windows\SysWOW64\sheFindSend.mp3	xacIkoAs.exe
File opened for modification	C:\Windows\SysWOW64\sheSelectLock.exe	xacIkoAs.exe
File opened for modification	C:\Windows\SysWOW64\sheUndoUpdate.docx	xacIkoAs.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\vsYssEQI	HKowMYsk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
968	4144	WerFault.exe	488
3564	3680	WerFault.exe	485
2656	3700	WerFault.exe	491

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
2540	reg.exe
1344	reg.exe
4888	reg.exe
4828	reg.exe
3332	reg.exe
3620	reg.exe
1780	reg.exe
3616	reg.exe
744	reg.exe
4132	reg.exe
4132	reg.exe
2680	reg.exe
3712	reg.exe
4448	reg.exe
3432	reg.exe
4580	reg.exe
4908	reg.exe
2240	reg.exe
960	reg.exe
3856	reg.exe
4780	reg.exe
4812	reg.exe
876	reg.exe
1596	reg.exe
4080	reg.exe
2556	reg.exe
1020	reg.exe
916	reg.exe
1468	reg.exe
4780	reg.exe
1292	reg.exe
1444	reg.exe
4776	reg.exe
4020	reg.exe
4732	reg.exe
1404	reg.exe
3220	reg.exe
5044	reg.exe
3472	reg.exe
1668	reg.exe
4056	reg.exe
1596	reg.exe
4276	reg.exe
2572	reg.exe
2584	reg.exe
2224	reg.exe
1688	reg.exe
2396	reg.exe
2012	reg.exe
4464	reg.exe
1852	reg.exe
3132	reg.exe
3872	reg.exe
1880	reg.exe
3648	reg.exe
4920	reg.exe
4484	reg.exe
4680	reg.exe
3680	reg.exe
3540	reg.exe
3432	reg.exe
3180	reg.exe
2820	reg.exe
4360	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
848	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
848	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
848	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
848	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
4608	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
4608	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
4608	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
4608	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
672	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
672	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
672	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
672	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
2040	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
2040	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
2040	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
2040	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
4140	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
4140	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
4140	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
4140	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
4488	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
4488	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
4488	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
4488	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
1572	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
1572	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
1572	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
1572	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
5088	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
5088	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
5088	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
5088	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
4136	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
4136	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
4136	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
4136	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
1144	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
1144	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
1144	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
1144	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
4584	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
4584	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
4584	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
4584	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
4124	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
4124	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
4124	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
4124	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
4984	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
4984	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
4984	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
4984	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
3136	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
3136	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
3136	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
3136	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
1292	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
1292	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
1292	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
1292	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
4328	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
4328	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
4328	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
4328	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4208	xacIkoAs.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4208	xacIkoAs.exe
4208	xacIkoAs.exe
4208	xacIkoAs.exe
4208	xacIkoAs.exe
4208	xacIkoAs.exe
4208	xacIkoAs.exe
4208	xacIkoAs.exe
4208	xacIkoAs.exe
4208	xacIkoAs.exe
4208	xacIkoAs.exe
4208	xacIkoAs.exe
4208	xacIkoAs.exe
4208	xacIkoAs.exe
4208	xacIkoAs.exe
4208	xacIkoAs.exe
4208	xacIkoAs.exe
4208	xacIkoAs.exe
4208	xacIkoAs.exe
4208	xacIkoAs.exe
4208	xacIkoAs.exe
4208	xacIkoAs.exe
4208	xacIkoAs.exe
4208	xacIkoAs.exe
4208	xacIkoAs.exe
4208	xacIkoAs.exe
4208	xacIkoAs.exe
4208	xacIkoAs.exe
4208	xacIkoAs.exe
4208	xacIkoAs.exe
4208	xacIkoAs.exe
4208	xacIkoAs.exe
4208	xacIkoAs.exe
4208	xacIkoAs.exe
4208	xacIkoAs.exe
4208	xacIkoAs.exe
4208	xacIkoAs.exe
4208	xacIkoAs.exe
4208	xacIkoAs.exe
4208	xacIkoAs.exe
4208	xacIkoAs.exe
4208	xacIkoAs.exe
4208	xacIkoAs.exe
4208	xacIkoAs.exe
4208	xacIkoAs.exe
4208	xacIkoAs.exe
4208	xacIkoAs.exe
4208	xacIkoAs.exe
4208	xacIkoAs.exe
4208	xacIkoAs.exe
4208	xacIkoAs.exe
4208	xacIkoAs.exe
4208	xacIkoAs.exe
4208	xacIkoAs.exe
4208	xacIkoAs.exe
4208	xacIkoAs.exe
4208	xacIkoAs.exe
4208	xacIkoAs.exe
4208	xacIkoAs.exe
4208	xacIkoAs.exe
4208	xacIkoAs.exe
4208	xacIkoAs.exe
4208	xacIkoAs.exe
4208	xacIkoAs.exe
4208	xacIkoAs.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 848 wrote to memory of 2160	848	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe	82
PID 848 wrote to memory of 2160	848	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe	82
PID 848 wrote to memory of 2160	848	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe	82
PID 848 wrote to memory of 4208	848	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe	83
PID 848 wrote to memory of 4208	848	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe	83
PID 848 wrote to memory of 4208	848	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe	83
PID 848 wrote to memory of 2428	848	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe	85
PID 848 wrote to memory of 2428	848	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe	85
PID 848 wrote to memory of 2428	848	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe	85
PID 848 wrote to memory of 2208	848	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe	87
PID 848 wrote to memory of 2208	848	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe	87
PID 848 wrote to memory of 2208	848	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe	87
PID 848 wrote to memory of 916	848	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe	89
PID 848 wrote to memory of 916	848	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe	89
PID 848 wrote to memory of 916	848	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe	89
PID 848 wrote to memory of 220	848	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe	90
PID 848 wrote to memory of 220	848	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe	90
PID 848 wrote to memory of 220	848	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe	90
PID 2428 wrote to memory of 4608	2428	cmd.exe	93
PID 2428 wrote to memory of 4608	2428	cmd.exe	93
PID 2428 wrote to memory of 4608	2428	cmd.exe	93
PID 4608 wrote to memory of 4296	4608	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe	94
PID 4608 wrote to memory of 4296	4608	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe	94
PID 4608 wrote to memory of 4296	4608	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe	94
PID 4296 wrote to memory of 672	4296	cmd.exe	96
PID 4296 wrote to memory of 672	4296	cmd.exe	96
PID 4296 wrote to memory of 672	4296	cmd.exe	96
PID 4608 wrote to memory of 2240	4608	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe	97
PID 4608 wrote to memory of 2240	4608	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe	97
PID 4608 wrote to memory of 2240	4608	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe	97
PID 4608 wrote to memory of 2804	4608	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe	99
PID 4608 wrote to memory of 2804	4608	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe	99
PID 4608 wrote to memory of 2804	4608	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe	99
PID 4608 wrote to memory of 3356	4608	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe	101
PID 4608 wrote to memory of 3356	4608	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe	101
PID 4608 wrote to memory of 3356	4608	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe	101
PID 4608 wrote to memory of 2364	4608	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe	102
PID 4608 wrote to memory of 2364	4608	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe	102
PID 4608 wrote to memory of 2364	4608	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe	102
PID 672 wrote to memory of 3228	672	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe	105
PID 672 wrote to memory of 3228	672	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe	105
PID 672 wrote to memory of 3228	672	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe	105
PID 672 wrote to memory of 3744	672	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe	107
PID 672 wrote to memory of 3744	672	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe	107
PID 672 wrote to memory of 3744	672	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe	107
PID 672 wrote to memory of 1404	672	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe	110
PID 672 wrote to memory of 1404	672	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe	110
PID 672 wrote to memory of 1404	672	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe	110
PID 672 wrote to memory of 4360	672	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe	109
PID 672 wrote to memory of 4360	672	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe	109
PID 672 wrote to memory of 4360	672	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe	109
PID 672 wrote to memory of 3132	672	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe	113
PID 672 wrote to memory of 3132	672	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe	113
PID 672 wrote to memory of 3132	672	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe	113
PID 3228 wrote to memory of 2040	3228	cmd.exe	115
PID 3228 wrote to memory of 2040	3228	cmd.exe	115
PID 3228 wrote to memory of 2040	3228	cmd.exe	115
PID 2040 wrote to memory of 384	2040	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe	116
PID 2040 wrote to memory of 384	2040	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe	116
PID 2040 wrote to memory of 384	2040	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe	116
PID 2040 wrote to memory of 4672	2040	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe	118
PID 2040 wrote to memory of 4672	2040	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe	118
PID 2040 wrote to memory of 4672	2040	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe	118
PID 2040 wrote to memory of 4680	2040	ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe	119

C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
"C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:848
- C:\Users\Admin\vsYssEQI\SEAkYYQA.exe
  "C:\Users\Admin\vsYssEQI\SEAkYYQA.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2160
- C:\ProgramData\FCUUEcgI\xacIkoAs.exe
  "C:\ProgramData\FCUUEcgI\xacIkoAs.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:4208
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
    C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4608
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4296
    - - C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:672
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3228
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3"
        8⤵
        
        PID:384
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3"
        10⤵
        
        PID:3256
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3"
        12⤵
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3"
        14⤵
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3"
        16⤵
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3"
        18⤵
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3"
        20⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3"
        22⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3"
        24⤵
        
        PID:3628
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3"
        26⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3"
        28⤵
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3"
        30⤵
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3"
        32⤵
        
        PID:3576
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3
        33⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3"
        34⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3
        35⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3"
        36⤵
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3
        37⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3"
        38⤵
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3
        39⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3"
        40⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3
        41⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3"
        42⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3
        43⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3"
        44⤵
        
        PID:992
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3
        45⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3"
        46⤵
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3
        47⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3"
        48⤵
        
        PID:3872
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3
        49⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3"
        50⤵
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3
        51⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3"
        52⤵
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3
        53⤵
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3"
        54⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3
        55⤵
        
        PID:820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3"
        56⤵
        
        PID:856
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3
        57⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3"
        58⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3
        59⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3"
        60⤵
        
        PID:3924
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3
        61⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3"
        62⤵
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3
        63⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3"
        64⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3
        65⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3"
        66⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3
        67⤵
        Adds Run key to start application
        
        PID:2288
        
        C:\Users\Admin\bGQIYkgg\KMsYMMsk.exe
        
        "C:\Users\Admin\bGQIYkgg\KMsYMMsk.exe"
        68⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 372
        69⤵
        Program crash
        
        PID:3564
        
        C:\ProgramData\kCwEsIQk\dAQMMwcU.exe
        
        "C:\ProgramData\kCwEsIQk\dAQMMwcU.exe"
        68⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4144 -s 272
        69⤵
        Program crash
        
        PID:968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3"
        68⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3
        69⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3"
        70⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3
        71⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3"
        72⤵
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3
        73⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3"
        74⤵
        
        PID:892
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3
        75⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3"
        76⤵
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3
        77⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3"
        78⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3
        79⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3"
        80⤵
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3
        81⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3"
        82⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3
        83⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3"
        84⤵
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3
        85⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3"
        86⤵
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3
        87⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3"
        88⤵
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3
        89⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3"
        90⤵
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3
        91⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3"
        92⤵
        
        PID:3308
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3
        93⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3"
        94⤵
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3
        95⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3"
        96⤵
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe
        
        C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3
        97⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        UAC bypass
        
        PID:3084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CEQwIcIs.bat" "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe""
        96⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        Modifies registry key
        
        PID:1780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QygAwYQg.bat" "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe""
        94⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        
        PID:5084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        Modifies registry key
        
        PID:3620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HUYEkUcY.bat" "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe""
        92⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:4372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        Modifies registry key
        
        PID:4812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        Modifies registry key
        
        PID:744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        Modifies registry key
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lygYQQEw.bat" "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe""
        90⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JwwUAUYo.bat" "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe""
        88⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        
        PID:3888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        UAC bypass
        Modifies registry key
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UCoYkQUg.bat" "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe""
        86⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        Modifies registry key
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WyUwQYUM.bat" "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe""
        84⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        Modifies registry key
        
        PID:2820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        
        PID:852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kQAMUkMw.bat" "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe""
        82⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EWooUAIQ.bat" "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe""
        80⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:2400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rQAocQEs.bat" "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe""
        78⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:1768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HiwQckkA.bat" "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe""
        76⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        
        PID:2236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rocoEQMA.bat" "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe""
        74⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bWMUMgkI.bat" "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe""
        72⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:4296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        Modifies registry key
        
        PID:4132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:3168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IsMIkYIs.bat" "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe""
        70⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:1812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZoIgUEMo.bat" "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe""
        68⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bSsoUoIA.bat" "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe""
        66⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        Modifies registry key
        
        PID:4276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eEcEUUsE.bat" "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe""
        64⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        
        PID:1264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2412
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        Modifies registry key
        
        PID:2556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oekgMkIs.bat" "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe""
        62⤵
        
        PID:908
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        Modifies registry key
        
        PID:5044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        Modifies registry key
        
        PID:3180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EwMUAAQk.bat" "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe""
        60⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        Modifies registry key
        
        PID:3432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        
        PID:4860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SCoYwQok.bat" "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe""
        58⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:4944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        Modifies registry key
        
        PID:4888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fyMUcIcM.bat" "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe""
        56⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies registry key
        
        PID:4780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fKUAoYYc.bat" "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe""
        54⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        Modifies registry key
        
        PID:4776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        Modifies registry key
        
        PID:2584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WokcsMwM.bat" "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe""
        52⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        Modifies registry key
        
        PID:3540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        Modifies registry key
        
        PID:3220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        Modifies registry key
        
        PID:3856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mQMYMQEE.bat" "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe""
        50⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dessYgUA.bat" "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe""
        48⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:2540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zuEoUUgU.bat" "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe""
        46⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:5092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        Modifies registry key
        
        PID:4580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pkckAYkE.bat" "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe""
        44⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:1848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YKkskkkI.bat" "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe""
        42⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        Modifies registry key
        
        PID:1344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        Modifies registry key
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        Modifies registry key
        
        PID:1852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XGogMoQM.bat" "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe""
        40⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        Modifies registry key
        
        PID:3432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vMskAAoI.bat" "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe""
        38⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        Modifies registry key
        
        PID:2540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WAUccwMM.bat" "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe""
        36⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        
        PID:4212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        Modifies registry key
        
        PID:4056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oIQwMYkQ.bat" "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe""
        34⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:1212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QkkEAMEY.bat" "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe""
        32⤵
        
        PID:728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        Modifies registry key
        
        PID:4464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LKgUocEI.bat" "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe""
        30⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        Modifies registry key
        
        PID:3680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        Modifies registry key
        
        PID:876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PMoAQogk.bat" "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe""
        28⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        UAC bypass
        
        PID:4200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yQYkYwoY.bat" "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe""
        26⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        Modifies registry key
        
        PID:4080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eCcIocUo.bat" "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe""
        24⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:2032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kmMUQUYY.bat" "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe""
        22⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        Modifies registry key
        
        PID:3872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        Modifies registry key
        
        PID:3616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vmQIYMwU.bat" "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe""
        20⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        Modifies visibility of file extensions in Explorer
        
        PID:856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        Modifies registry key
        
        PID:3712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VCAUskQs.bat" "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe""
        18⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        
        PID:1792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        Modifies registry key
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KkkwEMQg.bat" "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe""
        16⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sWAssYsc.bat" "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe""
        14⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:3808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HMUYoUsE.bat" "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe""
        12⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        Modifies registry key
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hokQEMQo.bat" "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe""
        10⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        Modifies registry key
        
        PID:4680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RqYIwwso.bat" "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe""
        8⤵
        
        PID:756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        Modifies registry key
        
        PID:3332
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3744
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        Modifies registry key
        
        PID:4360
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:1404
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OCkowUME.bat" "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe""
        6⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:1376
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies registry key
      PID:2240
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2804
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:3356
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mKYUIAkM.bat" "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe""
      4⤵
      PID:2364
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:2032
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2208
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:916
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:220
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JkQwIsUE.bat" "C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3.exe""
  2⤵
  PID:3420
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3056
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2540

C:\ProgramData\fUoYUUUA\HKowMYsk.exe
C:\ProgramData\fUoYUUUA\HKowMYsk.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:5012

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv 9nd+PmkkOk2wy/AJSO8Ccw.0.2
1⤵
PID:3272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3680 -ip 3680
1⤵
PID:3780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4144 -ip 4144
1⤵
PID:4192

C:\ProgramData\DgAwksMc\ZWUoIoos.exe
C:\ProgramData\DgAwksMc\ZWUoIoos.exe
1⤵
PID:3700
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 356
  2⤵
  - Program crash
  PID:2656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3700 -ip 3700
1⤵
PID:3844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\FCUUEcgI\xacIkoAs.exe

Filesize
470KB

MD5
6a3809ea3d071de6dc1003979eb12118

SHA1
926413782cb142e1b7d207e8527f1152aac992b8

SHA256
254992b8babf09a2a76462a68f83613f8e3eb25969a97c73c5faa8bd997ee082

SHA512
530b9feba43e837d686daeda305b32bbb0e13505c5eb02cb1d459b2d5c2c60a1a78eacdc6e83064176e24e863ec7d0e0170356107a4a2d69e3c3a2f9494daf33

Download Submit
C:\ProgramData\FCUUEcgI\xacIkoAs.exe

Filesize
470KB

MD5
6a3809ea3d071de6dc1003979eb12118

SHA1
926413782cb142e1b7d207e8527f1152aac992b8

SHA256
254992b8babf09a2a76462a68f83613f8e3eb25969a97c73c5faa8bd997ee082

SHA512
530b9feba43e837d686daeda305b32bbb0e13505c5eb02cb1d459b2d5c2c60a1a78eacdc6e83064176e24e863ec7d0e0170356107a4a2d69e3c3a2f9494daf33

Download Submit
C:\ProgramData\fUoYUUUA\HKowMYsk.exe

Filesize
466KB

MD5
1ab000524e1ea99ace33fe96c7590aab

SHA1
1df6e7c5fb2427930991037c97261b92d8911647

SHA256
9e101013254448bb7b822f93e575732d163a660b4343d8facde2c9f5a36f33eb

SHA512
14d8a2a431c12ccbdf32a04520e9d5595eabd2cdb5f3fa6583de3e4a5bbac70aa770015b10df4179f89cd0678e0e3d36f6bc02933460258f1de6870c79d259ff

Download Submit
C:\ProgramData\fUoYUUUA\HKowMYsk.exe

Filesize
466KB

MD5
1ab000524e1ea99ace33fe96c7590aab

SHA1
1df6e7c5fb2427930991037c97261b92d8911647

SHA256
9e101013254448bb7b822f93e575732d163a660b4343d8facde2c9f5a36f33eb

SHA512
14d8a2a431c12ccbdf32a04520e9d5595eabd2cdb5f3fa6583de3e4a5bbac70aa770015b10df4179f89cd0678e0e3d36f6bc02933460258f1de6870c79d259ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\HMUYoUsE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\KkkwEMQg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\LKgUocEI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\OCkowUME.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\PMoAQogk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\QkkEAMEY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\RqYIwwso.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\VCAUskQs.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\WAUccwMM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\XGogMoQM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\eCcIocUo.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3

Filesize
6KB

MD5
8d59f5f3929b07ccae9ff4d9c238ff7d

SHA1
f8cf4e4edddb2335c6868295456eb9092e42a1d5

SHA256
075adc45d321bd8b0562bd8df87febe1c0991224b9d00363550a7345de8522db

SHA512
1cc4e3dfc9c6bd6e7d368d1401b74224162d0597b85cfb06fa671bae31a4e1ce9659f0caf72f3bf16f2fd61437a685cfc7cdf0b5524ff078a5a888644f5f1809

Download Submit
C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3

Filesize
6KB

MD5
8d59f5f3929b07ccae9ff4d9c238ff7d

SHA1
f8cf4e4edddb2335c6868295456eb9092e42a1d5

SHA256
075adc45d321bd8b0562bd8df87febe1c0991224b9d00363550a7345de8522db

SHA512
1cc4e3dfc9c6bd6e7d368d1401b74224162d0597b85cfb06fa671bae31a4e1ce9659f0caf72f3bf16f2fd61437a685cfc7cdf0b5524ff078a5a888644f5f1809

Download Submit
C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3

Filesize
6KB

MD5
8d59f5f3929b07ccae9ff4d9c238ff7d

SHA1
f8cf4e4edddb2335c6868295456eb9092e42a1d5

SHA256
075adc45d321bd8b0562bd8df87febe1c0991224b9d00363550a7345de8522db

SHA512
1cc4e3dfc9c6bd6e7d368d1401b74224162d0597b85cfb06fa671bae31a4e1ce9659f0caf72f3bf16f2fd61437a685cfc7cdf0b5524ff078a5a888644f5f1809

Download Submit
C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3

Filesize
6KB

MD5
8d59f5f3929b07ccae9ff4d9c238ff7d

SHA1
f8cf4e4edddb2335c6868295456eb9092e42a1d5

SHA256
075adc45d321bd8b0562bd8df87febe1c0991224b9d00363550a7345de8522db

SHA512
1cc4e3dfc9c6bd6e7d368d1401b74224162d0597b85cfb06fa671bae31a4e1ce9659f0caf72f3bf16f2fd61437a685cfc7cdf0b5524ff078a5a888644f5f1809

Download Submit
C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3

Filesize
6KB

MD5
8d59f5f3929b07ccae9ff4d9c238ff7d

SHA1
f8cf4e4edddb2335c6868295456eb9092e42a1d5

SHA256
075adc45d321bd8b0562bd8df87febe1c0991224b9d00363550a7345de8522db

SHA512
1cc4e3dfc9c6bd6e7d368d1401b74224162d0597b85cfb06fa671bae31a4e1ce9659f0caf72f3bf16f2fd61437a685cfc7cdf0b5524ff078a5a888644f5f1809

Download Submit
C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3

Filesize
6KB

MD5
8d59f5f3929b07ccae9ff4d9c238ff7d

SHA1
f8cf4e4edddb2335c6868295456eb9092e42a1d5

SHA256
075adc45d321bd8b0562bd8df87febe1c0991224b9d00363550a7345de8522db

SHA512
1cc4e3dfc9c6bd6e7d368d1401b74224162d0597b85cfb06fa671bae31a4e1ce9659f0caf72f3bf16f2fd61437a685cfc7cdf0b5524ff078a5a888644f5f1809

Download Submit
C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3

Filesize
6KB

MD5
8d59f5f3929b07ccae9ff4d9c238ff7d

SHA1
f8cf4e4edddb2335c6868295456eb9092e42a1d5

SHA256
075adc45d321bd8b0562bd8df87febe1c0991224b9d00363550a7345de8522db

SHA512
1cc4e3dfc9c6bd6e7d368d1401b74224162d0597b85cfb06fa671bae31a4e1ce9659f0caf72f3bf16f2fd61437a685cfc7cdf0b5524ff078a5a888644f5f1809

Download Submit
C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3

Filesize
6KB

MD5
8d59f5f3929b07ccae9ff4d9c238ff7d

SHA1
f8cf4e4edddb2335c6868295456eb9092e42a1d5

SHA256
075adc45d321bd8b0562bd8df87febe1c0991224b9d00363550a7345de8522db

SHA512
1cc4e3dfc9c6bd6e7d368d1401b74224162d0597b85cfb06fa671bae31a4e1ce9659f0caf72f3bf16f2fd61437a685cfc7cdf0b5524ff078a5a888644f5f1809

Download Submit
C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3

Filesize
6KB

MD5
8d59f5f3929b07ccae9ff4d9c238ff7d

SHA1
f8cf4e4edddb2335c6868295456eb9092e42a1d5

SHA256
075adc45d321bd8b0562bd8df87febe1c0991224b9d00363550a7345de8522db

SHA512
1cc4e3dfc9c6bd6e7d368d1401b74224162d0597b85cfb06fa671bae31a4e1ce9659f0caf72f3bf16f2fd61437a685cfc7cdf0b5524ff078a5a888644f5f1809

Download Submit
C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3

Filesize
6KB

MD5
8d59f5f3929b07ccae9ff4d9c238ff7d

SHA1
f8cf4e4edddb2335c6868295456eb9092e42a1d5

SHA256
075adc45d321bd8b0562bd8df87febe1c0991224b9d00363550a7345de8522db

SHA512
1cc4e3dfc9c6bd6e7d368d1401b74224162d0597b85cfb06fa671bae31a4e1ce9659f0caf72f3bf16f2fd61437a685cfc7cdf0b5524ff078a5a888644f5f1809

Download Submit
C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3

Filesize
6KB

MD5
8d59f5f3929b07ccae9ff4d9c238ff7d

SHA1
f8cf4e4edddb2335c6868295456eb9092e42a1d5

SHA256
075adc45d321bd8b0562bd8df87febe1c0991224b9d00363550a7345de8522db

SHA512
1cc4e3dfc9c6bd6e7d368d1401b74224162d0597b85cfb06fa671bae31a4e1ce9659f0caf72f3bf16f2fd61437a685cfc7cdf0b5524ff078a5a888644f5f1809

Download Submit
C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3

Filesize
6KB

MD5
8d59f5f3929b07ccae9ff4d9c238ff7d

SHA1
f8cf4e4edddb2335c6868295456eb9092e42a1d5

SHA256
075adc45d321bd8b0562bd8df87febe1c0991224b9d00363550a7345de8522db

SHA512
1cc4e3dfc9c6bd6e7d368d1401b74224162d0597b85cfb06fa671bae31a4e1ce9659f0caf72f3bf16f2fd61437a685cfc7cdf0b5524ff078a5a888644f5f1809

Download Submit
C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3

Filesize
6KB

MD5
8d59f5f3929b07ccae9ff4d9c238ff7d

SHA1
f8cf4e4edddb2335c6868295456eb9092e42a1d5

SHA256
075adc45d321bd8b0562bd8df87febe1c0991224b9d00363550a7345de8522db

SHA512
1cc4e3dfc9c6bd6e7d368d1401b74224162d0597b85cfb06fa671bae31a4e1ce9659f0caf72f3bf16f2fd61437a685cfc7cdf0b5524ff078a5a888644f5f1809

Download Submit
C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3

Filesize
6KB

MD5
8d59f5f3929b07ccae9ff4d9c238ff7d

SHA1
f8cf4e4edddb2335c6868295456eb9092e42a1d5

SHA256
075adc45d321bd8b0562bd8df87febe1c0991224b9d00363550a7345de8522db

SHA512
1cc4e3dfc9c6bd6e7d368d1401b74224162d0597b85cfb06fa671bae31a4e1ce9659f0caf72f3bf16f2fd61437a685cfc7cdf0b5524ff078a5a888644f5f1809

Download Submit
C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3

Filesize
6KB

MD5
8d59f5f3929b07ccae9ff4d9c238ff7d

SHA1
f8cf4e4edddb2335c6868295456eb9092e42a1d5

SHA256
075adc45d321bd8b0562bd8df87febe1c0991224b9d00363550a7345de8522db

SHA512
1cc4e3dfc9c6bd6e7d368d1401b74224162d0597b85cfb06fa671bae31a4e1ce9659f0caf72f3bf16f2fd61437a685cfc7cdf0b5524ff078a5a888644f5f1809

Download Submit
C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3

Filesize
6KB

MD5
8d59f5f3929b07ccae9ff4d9c238ff7d

SHA1
f8cf4e4edddb2335c6868295456eb9092e42a1d5

SHA256
075adc45d321bd8b0562bd8df87febe1c0991224b9d00363550a7345de8522db

SHA512
1cc4e3dfc9c6bd6e7d368d1401b74224162d0597b85cfb06fa671bae31a4e1ce9659f0caf72f3bf16f2fd61437a685cfc7cdf0b5524ff078a5a888644f5f1809

Download Submit
C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3

Filesize
6KB

MD5
8d59f5f3929b07ccae9ff4d9c238ff7d

SHA1
f8cf4e4edddb2335c6868295456eb9092e42a1d5

SHA256
075adc45d321bd8b0562bd8df87febe1c0991224b9d00363550a7345de8522db

SHA512
1cc4e3dfc9c6bd6e7d368d1401b74224162d0597b85cfb06fa671bae31a4e1ce9659f0caf72f3bf16f2fd61437a685cfc7cdf0b5524ff078a5a888644f5f1809

Download Submit
C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3

Filesize
6KB

MD5
8d59f5f3929b07ccae9ff4d9c238ff7d

SHA1
f8cf4e4edddb2335c6868295456eb9092e42a1d5

SHA256
075adc45d321bd8b0562bd8df87febe1c0991224b9d00363550a7345de8522db

SHA512
1cc4e3dfc9c6bd6e7d368d1401b74224162d0597b85cfb06fa671bae31a4e1ce9659f0caf72f3bf16f2fd61437a685cfc7cdf0b5524ff078a5a888644f5f1809

Download Submit
C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3

Filesize
6KB

MD5
8d59f5f3929b07ccae9ff4d9c238ff7d

SHA1
f8cf4e4edddb2335c6868295456eb9092e42a1d5

SHA256
075adc45d321bd8b0562bd8df87febe1c0991224b9d00363550a7345de8522db

SHA512
1cc4e3dfc9c6bd6e7d368d1401b74224162d0597b85cfb06fa671bae31a4e1ce9659f0caf72f3bf16f2fd61437a685cfc7cdf0b5524ff078a5a888644f5f1809

Download Submit
C:\Users\Admin\AppData\Local\Temp\ff773ba71ce9b9e3f3924643fabaf13101471867bd5408e425bc74b1aeb8e9b3

Filesize
6KB

MD5
8d59f5f3929b07ccae9ff4d9c238ff7d

SHA1
f8cf4e4edddb2335c6868295456eb9092e42a1d5

SHA256
075adc45d321bd8b0562bd8df87febe1c0991224b9d00363550a7345de8522db

SHA512
1cc4e3dfc9c6bd6e7d368d1401b74224162d0597b85cfb06fa671bae31a4e1ce9659f0caf72f3bf16f2fd61437a685cfc7cdf0b5524ff078a5a888644f5f1809

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\hokQEMQo.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\kmMUQUYY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\mKYUIAkM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\oIQwMYkQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\sWAssYsc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\vMskAAoI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\vmQIYMwU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQYkYwoY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\vsYssEQI\SEAkYYQA.exe

Filesize
473KB

MD5
147b6de93e3c4e66c199be344161cbeb

SHA1
8713bf871abbbf3c792721697f2c70c4881153c8

SHA256
96c596e14c818eb329925ddb7a273ee81c92e59cf863a1cfc1c7e15b064f0053

SHA512
47829c116e081b875c3e7c8bd07b9370bd472063a10148d956c76eb9213a7ba5b649891ff27f7dbfacb29a4a306b66549a36ec78c3b8c60f2fa307ff1edbb4cc

Download Submit
C:\Users\Admin\vsYssEQI\SEAkYYQA.exe

Filesize
473KB

MD5
147b6de93e3c4e66c199be344161cbeb

SHA1
8713bf871abbbf3c792721697f2c70c4881153c8

SHA256
96c596e14c818eb329925ddb7a273ee81c92e59cf863a1cfc1c7e15b064f0053

SHA512
47829c116e081b875c3e7c8bd07b9370bd472063a10148d956c76eb9213a7ba5b649891ff27f7dbfacb29a4a306b66549a36ec78c3b8c60f2fa307ff1edbb4cc

Download Submit
memory/672-167-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/672-157-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/820-307-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/848-132-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/848-315-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/848-234-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/880-306-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/880-305-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1096-290-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1144-243-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1148-319-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1240-296-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1292-267-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1292-264-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1444-286-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1444-281-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1572-214-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1572-211-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1628-303-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1628-302-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1984-308-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2040-178-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2040-277-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2160-142-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2160-244-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2744-297-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2872-295-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3060-312-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3136-263-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3272-298-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3272-299-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3680-316-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3700-318-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3872-311-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3932-280-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3936-275-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4124-250-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4124-254-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4136-233-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4140-190-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4144-317-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4208-143-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4208-245-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4280-309-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4280-310-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4328-272-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4328-304-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4360-321-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4360-320-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4464-301-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4464-300-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4488-196-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4488-199-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4584-249-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4608-166-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4608-156-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4824-322-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4832-313-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4832-314-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4984-259-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5012-144-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5088-292-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5088-223-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5092-323-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download