8fce5a28b41f6df9e20d6b99367be1c0066847c8ea784ba295cc5a31e04dff57

Analysis

max time kernel
169s
max time network
184s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
28/12/2023, 23:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fffa4c215f0dd3181e3e6f721880c1c0.exe
Size

484KB
MD5

fffa4c215f0dd3181e3e6f721880c1c0
SHA1

620e3af2ab5d95e851c677fae094a45e341fef91
SHA256

8fce5a28b41f6df9e20d6b99367be1c0066847c8ea784ba295cc5a31e04dff57
SHA512

2173d0136a5288538588818f900e779430875ef39c802d18b42000ffd417aef055d28713d8259185e8c21d0720247a88c7e8e8b91a837bdb9418aecb944c3736
SSDEEP

12288:ogczz3vNC1G7ddxMm6GY21RBvsub93qCDd:ogcPNcG5MmLzsubNqi

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 58 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	fffa4c215f0dd3181e3e6f721880c1c0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	fffa4c215f0dd3181e3e6f721880c1c0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	fffa4c215f0dd3181e3e6f721880c1c0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 61 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fffa4c215f0dd3181e3e6f721880c1c0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	nIQksMwA.exe

Executes dropped EXE 3 IoCs

pid	Process
3616	CSUIMgwU.exe
3420	nIQksMwA.exe
2380	aaUAEkoo.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SYYsQsQQ.exe = "C:\\Users\\Admin\\ruQUYswA\\SYYsQsQQ.exe"	fffa4c215f0dd3181e3e6f721880c1c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JmwwwMMQ.exe = "C:\\ProgramData\\VWUIAMIg\\JmwwwMMQ.exe"	fffa4c215f0dd3181e3e6f721880c1c0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CSUIMgwU.exe = "C:\\Users\\Admin\\WgcMQsQQ\\CSUIMgwU.exe"	fffa4c215f0dd3181e3e6f721880c1c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nIQksMwA.exe = "C:\\ProgramData\\lsIQcsMQ\\nIQksMwA.exe"	fffa4c215f0dd3181e3e6f721880c1c0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CSUIMgwU.exe = "C:\\Users\\Admin\\WgcMQsQQ\\CSUIMgwU.exe"	CSUIMgwU.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nIQksMwA.exe = "C:\\ProgramData\\lsIQcsMQ\\nIQksMwA.exe"	nIQksMwA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nIQksMwA.exe = "C:\\ProgramData\\lsIQcsMQ\\nIQksMwA.exe"	aaUAEkoo.exe

Checks whether UAC is enabled 1 TTPs 10 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fffa4c215f0dd3181e3e6f721880c1c0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fffa4c215f0dd3181e3e6f721880c1c0.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\WgcMQsQQ	aaUAEkoo.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\WgcMQsQQ\CSUIMgwU	aaUAEkoo.exe
File created	C:\Windows\SysWOW64\shell32.dll.exe	nIQksMwA.exe
File opened for modification	C:\Windows\SysWOW64\sheExpandPing.mpg	nIQksMwA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
1124	4088	WerFault.exe	395
2412	3688	WerFault.exe	396
3672	3172	WerFault.exe	397

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
3544	reg.exe
3268	reg.exe
2692	reg.exe
5048	reg.exe
3028	reg.exe
4300	reg.exe
380	reg.exe
4872	reg.exe
1364	reg.exe
3480	reg.exe
2948	reg.exe
3040	reg.exe
4344	reg.exe
4272	reg.exe
4964	reg.exe
4544	reg.exe
4964	reg.exe
3156	reg.exe
724	reg.exe
1308	reg.exe
3324	reg.exe
4924	reg.exe
3168	reg.exe
4796	reg.exe
4280	reg.exe
4008	reg.exe
4372	reg.exe
4696	reg.exe
3684	reg.exe
1188	reg.exe
2088	reg.exe
1352	reg.exe
4864	reg.exe
3196	reg.exe
384	reg.exe
2368	reg.exe
2980	reg.exe
4976	reg.exe
1804	reg.exe
3324	reg.exe
3580	reg.exe
1916	reg.exe
5068	reg.exe
3308	reg.exe
2624	reg.exe
4724	reg.exe
560	reg.exe
2060	reg.exe
2292	reg.exe
1908	reg.exe
2344	reg.exe
2876	reg.exe
2756	reg.exe
1976	reg.exe
2004	reg.exe
628	reg.exe
2328	reg.exe
60	reg.exe
2748	reg.exe
724	reg.exe
3080	reg.exe
2888	reg.exe
4936	reg.exe
4452	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2880	fffa4c215f0dd3181e3e6f721880c1c0.exe
2880	fffa4c215f0dd3181e3e6f721880c1c0.exe
2880	fffa4c215f0dd3181e3e6f721880c1c0.exe
2880	fffa4c215f0dd3181e3e6f721880c1c0.exe
4004	fffa4c215f0dd3181e3e6f721880c1c0.exe
4004	fffa4c215f0dd3181e3e6f721880c1c0.exe
4004	fffa4c215f0dd3181e3e6f721880c1c0.exe
4004	fffa4c215f0dd3181e3e6f721880c1c0.exe
1244	fffa4c215f0dd3181e3e6f721880c1c0.exe
1244	fffa4c215f0dd3181e3e6f721880c1c0.exe
1244	fffa4c215f0dd3181e3e6f721880c1c0.exe
1244	fffa4c215f0dd3181e3e6f721880c1c0.exe
1800	fffa4c215f0dd3181e3e6f721880c1c0.exe
1800	fffa4c215f0dd3181e3e6f721880c1c0.exe
1800	fffa4c215f0dd3181e3e6f721880c1c0.exe
1800	fffa4c215f0dd3181e3e6f721880c1c0.exe
776	fffa4c215f0dd3181e3e6f721880c1c0.exe
776	fffa4c215f0dd3181e3e6f721880c1c0.exe
776	fffa4c215f0dd3181e3e6f721880c1c0.exe
776	fffa4c215f0dd3181e3e6f721880c1c0.exe
1664	fffa4c215f0dd3181e3e6f721880c1c0.exe
1664	fffa4c215f0dd3181e3e6f721880c1c0.exe
1664	fffa4c215f0dd3181e3e6f721880c1c0.exe
1664	fffa4c215f0dd3181e3e6f721880c1c0.exe
3332	fffa4c215f0dd3181e3e6f721880c1c0.exe
3332	fffa4c215f0dd3181e3e6f721880c1c0.exe
3332	fffa4c215f0dd3181e3e6f721880c1c0.exe
3332	fffa4c215f0dd3181e3e6f721880c1c0.exe
4964	fffa4c215f0dd3181e3e6f721880c1c0.exe
4964	fffa4c215f0dd3181e3e6f721880c1c0.exe
4964	fffa4c215f0dd3181e3e6f721880c1c0.exe
4964	fffa4c215f0dd3181e3e6f721880c1c0.exe
4692	fffa4c215f0dd3181e3e6f721880c1c0.exe
4692	fffa4c215f0dd3181e3e6f721880c1c0.exe
4692	fffa4c215f0dd3181e3e6f721880c1c0.exe
4692	fffa4c215f0dd3181e3e6f721880c1c0.exe
4888	fffa4c215f0dd3181e3e6f721880c1c0.exe
4888	fffa4c215f0dd3181e3e6f721880c1c0.exe
4888	fffa4c215f0dd3181e3e6f721880c1c0.exe
4888	fffa4c215f0dd3181e3e6f721880c1c0.exe
3648	fffa4c215f0dd3181e3e6f721880c1c0.exe
3648	fffa4c215f0dd3181e3e6f721880c1c0.exe
3648	fffa4c215f0dd3181e3e6f721880c1c0.exe
3648	fffa4c215f0dd3181e3e6f721880c1c0.exe
3784	fffa4c215f0dd3181e3e6f721880c1c0.exe
3784	fffa4c215f0dd3181e3e6f721880c1c0.exe
3784	fffa4c215f0dd3181e3e6f721880c1c0.exe
3784	fffa4c215f0dd3181e3e6f721880c1c0.exe
2348	cmd.exe
2348	cmd.exe
2348	cmd.exe
2348	cmd.exe
4372	fffa4c215f0dd3181e3e6f721880c1c0.exe
4372	fffa4c215f0dd3181e3e6f721880c1c0.exe
4372	fffa4c215f0dd3181e3e6f721880c1c0.exe
4372	fffa4c215f0dd3181e3e6f721880c1c0.exe
4088	fffa4c215f0dd3181e3e6f721880c1c0.exe
4088	fffa4c215f0dd3181e3e6f721880c1c0.exe
4088	fffa4c215f0dd3181e3e6f721880c1c0.exe
4088	fffa4c215f0dd3181e3e6f721880c1c0.exe
1824	fffa4c215f0dd3181e3e6f721880c1c0.exe
1824	fffa4c215f0dd3181e3e6f721880c1c0.exe
1824	fffa4c215f0dd3181e3e6f721880c1c0.exe
1824	fffa4c215f0dd3181e3e6f721880c1c0.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3420	nIQksMwA.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3420	nIQksMwA.exe
3420	nIQksMwA.exe
3420	nIQksMwA.exe
3420	nIQksMwA.exe
3420	nIQksMwA.exe
3420	nIQksMwA.exe
3420	nIQksMwA.exe
3420	nIQksMwA.exe
3420	nIQksMwA.exe
3420	nIQksMwA.exe
3420	nIQksMwA.exe
3420	nIQksMwA.exe
3420	nIQksMwA.exe
3420	nIQksMwA.exe
3420	nIQksMwA.exe
3420	nIQksMwA.exe
3420	nIQksMwA.exe
3420	nIQksMwA.exe
3420	nIQksMwA.exe
3420	nIQksMwA.exe
3420	nIQksMwA.exe
3420	nIQksMwA.exe
3420	nIQksMwA.exe
3420	nIQksMwA.exe
3420	nIQksMwA.exe
3420	nIQksMwA.exe
3420	nIQksMwA.exe
3420	nIQksMwA.exe
3420	nIQksMwA.exe
3420	nIQksMwA.exe
3420	nIQksMwA.exe
3420	nIQksMwA.exe
3420	nIQksMwA.exe
3420	nIQksMwA.exe
3420	nIQksMwA.exe
3420	nIQksMwA.exe
3420	nIQksMwA.exe
3420	nIQksMwA.exe
3420	nIQksMwA.exe
3420	nIQksMwA.exe
3420	nIQksMwA.exe
3420	nIQksMwA.exe
3420	nIQksMwA.exe
3420	nIQksMwA.exe
3420	nIQksMwA.exe
3420	nIQksMwA.exe
3420	nIQksMwA.exe
3420	nIQksMwA.exe
3420	nIQksMwA.exe
3420	nIQksMwA.exe
3420	nIQksMwA.exe
3420	nIQksMwA.exe
3420	nIQksMwA.exe
3420	nIQksMwA.exe
3420	nIQksMwA.exe
3420	nIQksMwA.exe
3420	nIQksMwA.exe
3420	nIQksMwA.exe
3420	nIQksMwA.exe
3420	nIQksMwA.exe
3420	nIQksMwA.exe
3420	nIQksMwA.exe
3420	nIQksMwA.exe
3420	nIQksMwA.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 3616	2880	fffa4c215f0dd3181e3e6f721880c1c0.exe	90
PID 2880 wrote to memory of 3616	2880	fffa4c215f0dd3181e3e6f721880c1c0.exe	90
PID 2880 wrote to memory of 3616	2880	fffa4c215f0dd3181e3e6f721880c1c0.exe	90
PID 2880 wrote to memory of 3420	2880	fffa4c215f0dd3181e3e6f721880c1c0.exe	91
PID 2880 wrote to memory of 3420	2880	fffa4c215f0dd3181e3e6f721880c1c0.exe	91
PID 2880 wrote to memory of 3420	2880	fffa4c215f0dd3181e3e6f721880c1c0.exe	91
PID 2880 wrote to memory of 1628	2880	fffa4c215f0dd3181e3e6f721880c1c0.exe	94
PID 2880 wrote to memory of 1628	2880	fffa4c215f0dd3181e3e6f721880c1c0.exe	94
PID 2880 wrote to memory of 1628	2880	fffa4c215f0dd3181e3e6f721880c1c0.exe	94
PID 2880 wrote to memory of 2060	2880	fffa4c215f0dd3181e3e6f721880c1c0.exe	96
PID 2880 wrote to memory of 2060	2880	fffa4c215f0dd3181e3e6f721880c1c0.exe	96
PID 2880 wrote to memory of 2060	2880	fffa4c215f0dd3181e3e6f721880c1c0.exe	96
PID 2880 wrote to memory of 628	2880	fffa4c215f0dd3181e3e6f721880c1c0.exe	97
PID 2880 wrote to memory of 628	2880	fffa4c215f0dd3181e3e6f721880c1c0.exe	97
PID 2880 wrote to memory of 628	2880	fffa4c215f0dd3181e3e6f721880c1c0.exe	97
PID 1628 wrote to memory of 4004	1628	cmd.exe	98
PID 1628 wrote to memory of 4004	1628	cmd.exe	98
PID 1628 wrote to memory of 4004	1628	cmd.exe	98
PID 2880 wrote to memory of 3836	2880	fffa4c215f0dd3181e3e6f721880c1c0.exe	99
PID 2880 wrote to memory of 3836	2880	fffa4c215f0dd3181e3e6f721880c1c0.exe	99
PID 2880 wrote to memory of 3836	2880	fffa4c215f0dd3181e3e6f721880c1c0.exe	99
PID 4004 wrote to memory of 1328	4004	fffa4c215f0dd3181e3e6f721880c1c0.exe	103
PID 4004 wrote to memory of 1328	4004	fffa4c215f0dd3181e3e6f721880c1c0.exe	103
PID 4004 wrote to memory of 1328	4004	fffa4c215f0dd3181e3e6f721880c1c0.exe	103
PID 4004 wrote to memory of 60	4004	fffa4c215f0dd3181e3e6f721880c1c0.exe	105
PID 4004 wrote to memory of 60	4004	fffa4c215f0dd3181e3e6f721880c1c0.exe	105
PID 4004 wrote to memory of 60	4004	fffa4c215f0dd3181e3e6f721880c1c0.exe	105
PID 4004 wrote to memory of 1188	4004	fffa4c215f0dd3181e3e6f721880c1c0.exe	106
PID 4004 wrote to memory of 1188	4004	fffa4c215f0dd3181e3e6f721880c1c0.exe	106
PID 4004 wrote to memory of 1188	4004	fffa4c215f0dd3181e3e6f721880c1c0.exe	106
PID 4004 wrote to memory of 2328	4004	fffa4c215f0dd3181e3e6f721880c1c0.exe	107
PID 4004 wrote to memory of 2328	4004	fffa4c215f0dd3181e3e6f721880c1c0.exe	107
PID 4004 wrote to memory of 2328	4004	fffa4c215f0dd3181e3e6f721880c1c0.exe	107
PID 1328 wrote to memory of 1244	1328	cmd.exe	111
PID 1328 wrote to memory of 1244	1328	cmd.exe	111
PID 1328 wrote to memory of 1244	1328	cmd.exe	111
PID 4004 wrote to memory of 2212	4004	fffa4c215f0dd3181e3e6f721880c1c0.exe	112
PID 4004 wrote to memory of 2212	4004	fffa4c215f0dd3181e3e6f721880c1c0.exe	112
PID 4004 wrote to memory of 2212	4004	fffa4c215f0dd3181e3e6f721880c1c0.exe	112
PID 1244 wrote to memory of 3600	1244	fffa4c215f0dd3181e3e6f721880c1c0.exe	114
PID 1244 wrote to memory of 3600	1244	fffa4c215f0dd3181e3e6f721880c1c0.exe	114
PID 1244 wrote to memory of 3600	1244	fffa4c215f0dd3181e3e6f721880c1c0.exe	114
PID 1244 wrote to memory of 2292	1244	fffa4c215f0dd3181e3e6f721880c1c0.exe	116
PID 1244 wrote to memory of 2292	1244	fffa4c215f0dd3181e3e6f721880c1c0.exe	116
PID 1244 wrote to memory of 2292	1244	fffa4c215f0dd3181e3e6f721880c1c0.exe	116
PID 1244 wrote to memory of 3544	1244	fffa4c215f0dd3181e3e6f721880c1c0.exe	117
PID 1244 wrote to memory of 3544	1244	fffa4c215f0dd3181e3e6f721880c1c0.exe	117
PID 1244 wrote to memory of 3544	1244	fffa4c215f0dd3181e3e6f721880c1c0.exe	117
PID 1244 wrote to memory of 1396	1244	fffa4c215f0dd3181e3e6f721880c1c0.exe	118
PID 1244 wrote to memory of 1396	1244	fffa4c215f0dd3181e3e6f721880c1c0.exe	118
PID 1244 wrote to memory of 1396	1244	fffa4c215f0dd3181e3e6f721880c1c0.exe	118
PID 1244 wrote to memory of 2248	1244	fffa4c215f0dd3181e3e6f721880c1c0.exe	119
PID 1244 wrote to memory of 2248	1244	fffa4c215f0dd3181e3e6f721880c1c0.exe	119
PID 1244 wrote to memory of 2248	1244	fffa4c215f0dd3181e3e6f721880c1c0.exe	119
PID 2212 wrote to memory of 3172	2212	cmd.exe	124
PID 2212 wrote to memory of 3172	2212	cmd.exe	124
PID 2212 wrote to memory of 3172	2212	cmd.exe	124
PID 3600 wrote to memory of 1800	3600	cmd.exe	125
PID 3600 wrote to memory of 1800	3600	cmd.exe	125
PID 3600 wrote to memory of 1800	3600	cmd.exe	125
PID 2248 wrote to memory of 4256	2248	cmd.exe	126
PID 2248 wrote to memory of 4256	2248	cmd.exe	126
PID 2248 wrote to memory of 4256	2248	cmd.exe	126
PID 1800 wrote to memory of 4724	1800	fffa4c215f0dd3181e3e6f721880c1c0.exe	127

System policy modification 1 TTPs 10 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	fffa4c215f0dd3181e3e6f721880c1c0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fffa4c215f0dd3181e3e6f721880c1c0.exe

C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe
"C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Users\Admin\WgcMQsQQ\CSUIMgwU.exe
  "C:\Users\Admin\WgcMQsQQ\CSUIMgwU.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3616
- C:\ProgramData\lsIQcsMQ\nIQksMwA.exe
  "C:\ProgramData\lsIQcsMQ\nIQksMwA.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:3420
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1628
- - C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe
    C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4004
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1328
    - - C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1244
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0"
        8⤵
        
        PID:4724
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0"
        10⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0"
        12⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0"
        14⤵
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0"
        16⤵
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0"
        18⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0"
        20⤵
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0"
        22⤵
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0"
        24⤵
        
        PID:4248
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0
        25⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0"
        26⤵
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0"
        28⤵
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0"
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0"
        32⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0
        33⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0"
        34⤵
        
        PID:4724
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0
        35⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0"
        36⤵
        
        PID:3532
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0
        37⤵
        
        PID:560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0"
        38⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0
        39⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0"
        40⤵
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0
        41⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0"
        42⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0
        43⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0"
        44⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0
        45⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0"
        46⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0
        47⤵
        Modifies visibility of file extensions in Explorer
        
        PID:60
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0"
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3268
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0
        49⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0"
        50⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0
        51⤵
        Adds Run key to start application
        
        PID:4580
        
        C:\Users\Admin\ruQUYswA\SYYsQsQQ.exe
        
        "C:\Users\Admin\ruQUYswA\SYYsQsQQ.exe"
        52⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 328
        53⤵
        Program crash
        
        PID:1124
        
        C:\ProgramData\VWUIAMIg\JmwwwMMQ.exe
        
        "C:\ProgramData\VWUIAMIg\JmwwwMMQ.exe"
        52⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3688 -s 224
        53⤵
        Program crash
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0"
        52⤵
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0
        53⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0"
        54⤵
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0
        55⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0"
        56⤵
        
        PID:4272
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0
        57⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0"
        58⤵
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0
        59⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0"
        60⤵
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0
        61⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0"
        62⤵
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0
        63⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0"
        64⤵
        
        PID:3272
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0
        65⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0"
        66⤵
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0
        67⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0"
        68⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0
        69⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0"
        70⤵
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0
        71⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0"
        72⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0
        73⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0"
        74⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0
        75⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0"
        76⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0
        77⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0"
        78⤵
        
        PID:1240
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0
        79⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0"
        80⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0
        81⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0"
        82⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0
        83⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0"
        84⤵
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0
        85⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0"
        86⤵
        
        PID:668
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0
        87⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0"
        88⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0
        89⤵
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0"
        90⤵
        
        PID:3820
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0
        91⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0"
        92⤵
        
        PID:1348
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0
        93⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0"
        94⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0
        95⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0"
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0
        97⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0"
        98⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0
        99⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0"
        100⤵
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0
        101⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0"
        102⤵
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0
        103⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0"
        104⤵
        
        PID:3824
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0
        105⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0"
        106⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0
        107⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0"
        108⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0
        109⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0"
        110⤵
        
        PID:1240
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0
        111⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0"
        112⤵
        
        PID:4000
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        UAC bypass
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0
        113⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0"
        114⤵
        
        PID:4248
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0
        115⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0"
        116⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0
        117⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0"
        118⤵
        
        PID:3004
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0
        119⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0"
        120⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2004
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe
        
        C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0
        121⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0"
        122⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CwoEEgIQ.bat" "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe""
        122⤵
        
        PID:632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        Modifies registry key
        
        PID:4008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        Modifies registry key
        
        PID:560
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        UAC bypass
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\skUIsgks.bat" "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe""
        120⤵
        
        PID:920
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        Modifies registry key
        
        PID:3324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IQEUUUgQ.bat" "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe""
        118⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        
        PID:3196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        Modifies registry key
        
        PID:4272
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        UAC bypass
        Modifies registry key
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LmMUwgEc.bat" "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe""
        116⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cGYQooIM.bat" "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe""
        114⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        Modifies registry key
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        Modifies registry key
        
        PID:4344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        Modifies registry key
        
        PID:380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eUooMAkI.bat" "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe""
        112⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        Modifies registry key
        
        PID:4724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Oqsggkwk.bat" "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe""
        110⤵
        
        PID:4516
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        Modifies registry key
        
        PID:4452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UwgUUgoE.bat" "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe""
        108⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        Modifies registry key
        
        PID:4696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IcIcIkcg.bat" "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe""
        106⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        Modifies registry key
        
        PID:2888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:976
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rUUEwcsA.bat" "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe""
        104⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        
        PID:4368
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        Modifies registry key
        
        PID:4372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\amIUoQAw.bat" "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe""
        102⤵
        
        PID:632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:3528
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        UAC bypass
        
        PID:3792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        Modifies registry key
        
        PID:3080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        Modifies registry key
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lEAAEEkc.bat" "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe""
        100⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eKIUYUYc.bat" "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe""
        98⤵
        
        PID:5056
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        99⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2140
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies visibility of file extensions in Explorer
        
        PID:320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        
        PID:3948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SSsMkcIs.bat" "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe""
        96⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vGMQUUgs.bat" "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe""
        94⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        Modifies visibility of file extensions in Explorer
        
        PID:724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        UAC bypass
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aUcsosoc.bat" "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe""
        92⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4424
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies registry key
        
        PID:2004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies registry key
        
        PID:4936
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        UAC bypass
        
        PID:3648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UCoUQkcg.bat" "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe""
        90⤵
        
        PID:1928
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2200
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qQQwUUgM.bat" "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe""
        88⤵
        
        PID:3544
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        Modifies registry key
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kggIsEYU.bat" "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe""
        86⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        Modifies registry key
        
        PID:3196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        Modifies registry key
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OkIkgcoI.bat" "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe""
        84⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gcQQAEEM.bat" "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe""
        82⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        Modifies registry key
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OcMIcMQE.bat" "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe""
        80⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:3664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GsMkMkMw.bat" "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe""
        78⤵
        
        PID:404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies registry key
        
        PID:724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QsssMIAg.bat" "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe""
        76⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        
        PID:2892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:2500
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        
        PID:4504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gQIIAMIc.bat" "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe""
        74⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        Modifies registry key
        
        PID:3040
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        73⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BGwEEAIo.bat" "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe""
        72⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JEogQYgw.bat" "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe""
        70⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\muIsoggM.bat" "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe""
        68⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:1348
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        UAC bypass
        
        PID:3004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies registry key
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bAMMoEAA.bat" "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe""
        66⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        Modifies registry key
        
        PID:2692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:632
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        Modifies registry key
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GgUIAsIY.bat" "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe""
        64⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wiAwsoIg.bat" "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe""
        62⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RwkkYkMI.bat" "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe""
        60⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:3996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        
        PID:3684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        Modifies registry key
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PIgsgEUQ.bat" "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe""
        58⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        Modifies registry key
        
        PID:4864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rIYIgAUU.bat" "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe""
        56⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        Modifies registry key
        
        PID:3308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HccAAYEI.bat" "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe""
        54⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:4508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        Modifies registry key
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oyEwgAcU.bat" "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe""
        52⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:5020
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        Modifies registry key
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TgUcIYwE.bat" "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe""
        50⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BmYwwcwk.bat" "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe""
        48⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:3580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        Modifies registry key
        
        PID:1352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        Modifies registry key
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\reIcgoYg.bat" "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe""
        46⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        Modifies registry key
        
        PID:3480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4636
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        UAC bypass
        
        PID:4016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        Modifies registry key
        
        PID:1364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dcgUIQwI.bat" "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe""
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1188
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lSQUwUkA.bat" "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe""
        42⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2348
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        
        PID:976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        
        PID:2484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        Modifies registry key
        
        PID:1916
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        UAC bypass
        
        PID:4696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gsUoMQcA.bat" "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe""
        40⤵
        
        PID:1988
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        41⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:60
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:1184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        UAC bypass
        
        PID:4888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1856
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        39⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        Modifies registry key
        
        PID:3580
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        39⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hKEgEcII.bat" "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe""
        38⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yucAIUgc.bat" "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe""
        36⤵
        
        PID:2692
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        UAC bypass
        
        PID:4544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:1916
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        35⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XCEoUUAw.bat" "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe""
        34⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        UAC bypass
        Modifies registry key
        
        PID:3156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aGEAIcUA.bat" "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe""
        32⤵
        
        PID:668
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        Modifies registry key
        
        PID:4796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GeUMQwUs.bat" "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe""
        30⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ROkIQMEY.bat" "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe""
        28⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        UAC bypass
        
        PID:2056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jkoEgQgU.bat" "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe""
        26⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IkEIQswU.bat" "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe""
        24⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        UAC bypass
        
        PID:3504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        Modifies registry key
        
        PID:4872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies registry key
        
        PID:60
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgAssgIc.bat" "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe""
        22⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        Modifies registry key
        
        PID:3544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gYMQkEwE.bat" "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe""
        20⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        Modifies registry key
        
        PID:3324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hGIUUwEI.bat" "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe""
        18⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SYgYUEIE.bat" "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe""
        16⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        UAC bypass
        Modifies registry key
        
        PID:2088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3168
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        16⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HukMkUgA.bat" "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe""
        14⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:1396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zMoYAoMk.bat" "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe""
        12⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        Modifies registry key
        
        PID:4924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bwgEoUEU.bat" "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe""
        10⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:4604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jakQgccA.bat" "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe""
        8⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:4944
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2292
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:3544
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:1396
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gOYgYYcM.bat" "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe""
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:4256
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:60
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:1188
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:2328
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eSQsgAAI.bat" "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2212
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:3172
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies registry key
  PID:2060
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:628
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:3836
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vwQEUcYs.bat" "C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0.exe""
  2⤵
  PID:2352
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1196

C:\ProgramData\KMEkEoEM\aaUAEkoo.exe
C:\ProgramData\KMEkEoEM\aaUAEkoo.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2380

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:3332

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:4220

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1916

C:\ProgramData\HWoAkUkk\hYEcMoIE.exe
C:\ProgramData\HWoAkUkk\hYEcMoIE.exe
1⤵
PID:3172
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 400
  2⤵
  - Program crash
  PID:3672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3688 -ip 3688
1⤵
PID:4608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3172 -ip 3172
1⤵
PID:4704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4088 -ip 4088
1⤵
PID:3152

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3332

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
- UAC bypass
PID:4976

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe eef5eaf56bc923231b8acf322f7bd8a0 ETyIM7MqyUKHOU7MMi7gHw.0.1.0.0.0
1⤵
PID:4424
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\KMEkEoEM\aaUAEkoo.exe

Filesize
431KB

MD5
e1f8aa71b04522b28a7d96a9bebe7c4b

SHA1
130db4e78db11b5b998814cfb39236fd8600a022

SHA256
4a166e9f5689765d94c2c42f25367293d4cda8be1adbb02848e380c9c1a8cb2b

SHA512
ba985afd9ccea204f745f5ec648ef9e7e59e14c8a6e0d4bc7e8c8d66d72e96fdd4b74e003fda947d71789eab359ad9699e0d48794cdcbb6dd757275c4b2e4b0b

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

Filesize
463KB

MD5
08f6d8d10ddc88f813cdeebcf43bf93a

SHA1
95770acecb31fcbcb76dc9a1eddf7162782c5d8b

SHA256
14fed7e186234c670239817deb61c06d05edadfbbf93ee0e47b31a8179fc8bef

SHA512
7106aaebdfc2c4aa4a8fcbc6ca923e0f406c0b412504d3d0879491e92a68534930fb9d308454f8e60096fb9f1e0aff1d55ef93664a8211d45089c551fa1adea1

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe

Filesize
1024KB

MD5
54ff5f88aa19310da3fbe4f79b3e7204

SHA1
424e130853ddfe74416938780b10081718a9d97a

SHA256
c22cc9b6ae9ba3c35a97de0c0281039c627d982d6240b6d5bd7da6a557e858de

SHA512
7a1ef040391abe9c793657158324b6fc3cd45995e21a7b36175e79fccdb17963b7c29104aef9f2c930baf59bcda28845a660ee286496fece142ccec0f41506f1

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe

Filesize
1020KB

MD5
82568019d1456fb3a624323f0fe94391

SHA1
74d91bd47c67c55e3c99dfecf8ead26582c7dfb2

SHA256
63f65da60623b75115912e97a682733b7dffad23ecb7f5fc32089f145b8a76e5

SHA512
fdc13eb5ee847f2da3f4fa7fcf608d5334464708b98449bf93ca9fb73a34fda6c7795d792f86fde9f1fe639cadd6e250f8a3445ca8898b71b315d07bf98dbb04

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user.png.exe

Filesize
441KB

MD5
5c2173490c7d2e76ea44d766d82f3d71

SHA1
86403c7ed76c7ffcd123e8a35518e1a61a71a2d6

SHA256
8137e7913c921859ca7604101907e230f3909aeecc63b58f3a7abd4ba1380815

SHA512
045f7dff7a832ac91789b02154228af168a320f5e7f7d3a47a8a3dee6dce386ed2e6c937b60a8831faa71dd29c539e57feea3371449b75c4464c43b7836d381d

Download Submit
C:\ProgramData\Package Cache\{17316079-d65a-4f25-a9f3-56c32781b15d}\windowsdesktop-runtime-8.0.0-win-x64.exe

Filesize
1.0MB

MD5
8036f0a9d0377aeddddad485def9ccdf

SHA1
7f9c8b8ca4d777a8dd74ffef4324fd95730fc79f

SHA256
d4d5b298057cefe9d15b09e7e93592a6a2ccdcaa047e5fc6d3f9227e77ed0917

SHA512
3ea7873ccc45fa477644f1542f05a175cf70ee7c21987ec889feac99e6396af1eb7bac5f109f8e0b656b8678482667016fd255bed8a9805f62536d2e1753a8c1

Download Submit
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

Filesize
881KB

MD5
541cd3b13fb12ad5b4ced58fc324591c

SHA1
0fa0f8a23a8a23ddfa8b3d6a7ba0f408320e22da

SHA256
8ea32321617cc2f05d91bbbef41c771c73fa34a54b604624962fe1adf98e8a6c

SHA512
168f900300f2670dae918b02e7123f01c4f6b88d479df0588ed9cd1eccacd7142161d9ae44858eab291ec0c6a04a9615cb069397cbf99ab8e8c8968f5c55c618

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

Filesize
887KB

MD5
4cea7b67bda8432b5e0457411ba51cb0

SHA1
b4976bb2def77c690bc9832a83d14aeb9efbfc8d

SHA256
7358dc2282f1818c29c35389bad57906832341d4fba750f6b48431822ce8a8ff

SHA512
ebb30ededa2d0f5dc87e19f36ef6f0c1a3f0a103870c6f28980fa00797ca16230bd5b669b9b08441d3572a1b4c4d5dcb4514089c1e8e8b40c96bafddeebbbeef

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
882KB

MD5
8f5f2a4e33380e6876b42d98804cde80

SHA1
88a31e0826c05bf388dfdafe764e40c495e69a7e

SHA256
cf2282a4ffa4abf6271d445612ff050930b50ef24e66d239e5c93a614538cee9

SHA512
06c77ca5669bca1aadbef3348d91cc88da9a3e209deaab0de858c06dec9297fabe1f9857c70a2355b0ca7a48af107fb3822a9f307c3b8bf28827eaac92a7a274

Download Submit
C:\ProgramData\Package Cache\{fb0500c1-f968-4621-a48b-985b52884c49}\windowsdesktop-runtime-6.0.25-win-x64.exe

Filesize
1.0MB

MD5
e162ea52349a58a2ee29e6237761bdfa

SHA1
7d5c43583958a3654f3018c0a57e578ee4379ab7

SHA256
bbd6feae5fd663e4e99ac6ff803fd7a7690bed3b9fb7da5f71d1c3d339b7ef93

SHA512
722e6eded20ca5e1393fb49c29e18e70d12ce593991aa966cd9f864c5320621f791b4fc4188f71dc7e6614759c85eb4c6605ed585546a6a8e996b450dd7a8912

Download Submit
C:\ProgramData\lsIQcsMQ\nIQksMwA.exe

Filesize
437KB

MD5
304618b00b710858d08b738054fd4688

SHA1
9575ada7c87a5c6202c23097ed01c9aea5add9c8

SHA256
e56e1c651996a068f493e3ab0f10f1f769aec8e699816b61e253399160374ab0

SHA512
fa5455a11ff62c5417c2181e5895aaeb10bf2639192a453539390133fc6aaf4aff1fe33b057019c43612f0988210c6f694dd935032145925988eff47ba63a0d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\128.png.exe

Filesize
439KB

MD5
e45d52b736d0a0fbc1876cb48cfeeb6f

SHA1
2b1a5b7bc50ba284528514948a972fedd70d6b23

SHA256
27bb89c59999ab05b72b00774ecf3881b1911aac4657573068cd67d6dd8b7768

SHA512
c5cddb95d1ddb8e9ce0710fe5265ce0934c857a023e4ece88481a669f763d4457f68c5182a11496238650afc6b096d9da8bfb1f875c5380235f506dc66ff9c12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveLogo.png.exe

Filesize
439KB

MD5
2f43a9c539aae19fa39326de1810b521

SHA1
fcf51d3eec39a03ef97386a7305c2c41156e0127

SHA256
aba5c845290c761ba97891069a3ff30c2eb82db88944d2abba7d53a6da7664ff

SHA512
bc20ad3ac16950bd17639f885497eb63eba745c2b040f52ae6d0b8d8ec24781380261b19a64fecb7869578e9872165fbf89e0bb48da4980e31394e96cfacc702

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAYQ.exe

Filesize
5.5MB

MD5
fff10329cc497442001ab96915e3c885

SHA1
cd0b74c6ca6c5ff48cb8e4f6456380bb43756bb6

SHA256
24cc36bd0e1dce1fc6460f62eefbedf3c79cf0c51787684a8b14c14add50e3ea

SHA512
42c904d72eb07fc51a06f43728b8b21e03aa6a595026be04aabaa7c0ae851bed56164fb9464aeb28a0a9820f857812dfe39acca635c7a52e899bf202cb28e22d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Agsg.exe

Filesize
443KB

MD5
6c1309cd59f48aad6fea18760fe67b1f

SHA1
ea8cabc9d480c0b86604166144cf81cdf323cf77

SHA256
540322c66b46671446aaadd821a414d79f2adb46147aeab9840ac17f5a63f535

SHA512
e967b295ddc4b057398eb9f23cfa0b302d4bc822e899dfa6403890f6b79bfaa1b73f9ec881432e3d060bb96f5624173e789b76ce64fcf4f003c066b3104e363f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AkcQ.exe

Filesize
439KB

MD5
aabaf5ce6ade948b3b70332410bf8182

SHA1
5c20f25b8f6ccba1ab85dedd2eef2445af8f97e4

SHA256
f6fedeff765ead6c46d777efa959e004a1b1ee62a74a80209077a9389444be26

SHA512
064f0a6f1defadfe7eb4d9117ab408a8f182e8c4a9bacbc48069b77d50166192c5021f2463cd0a055281c71dcd2d3aec82d904033dc81e8904abb440f2671dbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\AsYO.exe

Filesize
453KB

MD5
6e4d9e1a8f93773400f178b31309bb25

SHA1
3bb0e4e0faf285c3d82a19367f400dbe28932db6

SHA256
fcee66b9a33dba93ad1d7511a193f7547fff75c6fb5aa899d333f2a6d04de334

SHA512
43894eb172d3e81fe464bfa95a801685442a9d12240b7c65dc6a0b50f79c809fc01e1d9617ef7f87a00e25bf702f8eacc6d5adf3fe2e1c802a1920bb553d7706

Download Submit
C:\Users\Admin\AppData\Local\Temp\AwIU.exe

Filesize
444KB

MD5
f482e364e9115c1306bd2640eef75368

SHA1
b1bb0f178de8a4cc460b4bf8366ddd3aaac5ef02

SHA256
5db21bdb849748001f4719aa5cc95af1173b91d0323577658fcd54220b272dcf

SHA512
d2152d669f4395a5ed3d6500b926dd57553a7fe76cccef9c96b1bb6fc168ae5c302e2390102fea4198cba843e33b79d408eb61375a0d2ec57227c5a0e6390a1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dcka.exe

Filesize
443KB

MD5
091e561a2cba66e96a1f50f9dd1f825b

SHA1
4d37ce18b7a4dd412bfeafb5e0b40c752b0ddde0

SHA256
989826c4a060752f0b8bfe31aa4738e8adbd826ba3cb059c39b06f7036989ee7

SHA512
9b6c4cee69cb312e93b466552d0b2f081ff3f498d50e84c1349c7b63eac7bad2016505b8daea2e82ec7a475aff463e1c1bf59842278f62c1851a53e27ed9ea3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUYs.exe

Filesize
442KB

MD5
82cbb7cc299dbb94061c0b8b550218aa

SHA1
c142b383dc023bf92dd566dd95744ae8b803c36b

SHA256
23575371f967273c735c5fb74544d95ba446776b4d42a5fe6db8e955991eda9c

SHA512
5ac2cfc8237d56fa6f31ad3343be7596e42bc29314dd6b23bac82e7f47d53a131ff9eea74b9252090763ad0904276edb3563d4125786416b275e7991d69142f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\GsEk.exe

Filesize
441KB

MD5
c320d863fc2f881802ed953b76487b24

SHA1
d431c7661dffd2f04853d67c34b1792d42b4eea9

SHA256
d5da677892c4ce3170ced4d54c0b2c89834caf114ea4f3439137715f835126cc

SHA512
f2ec667599ca73de1e4730d35907d7ccf83f14e7e8c190d164bedbcd46b4b84561329caa8eb253b39193cf347b551659549c594393dbd5e2c66d76699340c754

Download Submit
C:\Users\Admin\AppData\Local\Temp\Issu.exe

Filesize
439KB

MD5
32c01b45dfbca9c2bef95601242c6384

SHA1
7dd12ebdd491b01894cbcbcd6a22b38121a394be

SHA256
3c674b6b42be1d894756de77768d74d9d7b81b43303e75474ac3dfd204888c22

SHA512
2959b890578bccbd1e29e2501df84a8cf14f554d29b9bfecd1c33f5fcbfa52b83632b9280d2761bb307a30748bebadea4167a0d277a48f2dbf2317a0401af505

Download Submit
C:\Users\Admin\AppData\Local\Temp\KgQO.exe

Filesize
442KB

MD5
0fc36114abdb6bceadafe1571d78cbff

SHA1
ddc0f37aac867944166da56a53921e5bae83e0c9

SHA256
f6d98ff8ca5466c7805c346f81b2fcd927d9754752fc31bb89d45a0c887144c9

SHA512
47f7de357c27aff56287a4666061cc61c87c36cd7dac272d3bd3d2c066f025f7175671a5c90d077de7c6695bc5501edc7caacc2984c25ee1335176d1e026fb1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\LwYE.exe

Filesize
444KB

MD5
6c7e8809b20abacf030873d55eb667b6

SHA1
b659d1ec69f872034518c555824f6695f48416e5

SHA256
b570bdaa625a944a99aa458819b29c954655cc5abc7385b65dd542a3266a1969

SHA512
6056b78b2b18a9adb7dee366061071cfd627a7766988ab6f98ec90bd81ebaaf58187e31d843a01f6f4b4e71f869a8bcdbc34854f2072eb1d81198970fec2fcd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUcg.exe

Filesize
440KB

MD5
e16eecc05637c2165ca9c15a5605fcd8

SHA1
6157b3d4b5d62e10c2032065de63f2139db77736

SHA256
1be4f2c119af1e181d55c42f3d36e22129e881cf967803b2b6da21c9cca34ddc

SHA512
8dbe3b6be5523da39fe396fb4af1d0784a416313e6141afe0fede5c11634b3bc8e191bcb1572393a87bce8256eaaa90a2c466d0e8bc3de542db8ee7377732f9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\PkAg.exe

Filesize
440KB

MD5
133efc0174a33e72af29020afdc53981

SHA1
e01a8afcf10d27f7f08841516a578e4903299ae2

SHA256
c86e63810d345726f6e8a71a4a2088f46207d026f8b29c0782a3ed3778e40a41

SHA512
bbf10567ca759ac0deee5926153ab6838b7ce7080beba9326abaeb7029f823159b7e3d147eb77d8185ae41f4ccba1976199546d807abed5002dc48ffd969d658

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIgQ.exe

Filesize
438KB

MD5
d50daea4747aab83d2aa5c6adc32b7cd

SHA1
6dc6e17cda4f704ba923d4d8125c09903b8c67f0

SHA256
101a4f875991f5151fcdb8f843bb39aaedfb292483ae6c1de0c542eb49430552

SHA512
6662ca838966f139217e3cae96fb89c99264f9533d6035fe12803f39f7d99400eee206cb191ee6a1030945ec17c2e922c53276531047cfd049e22d2579bc5633

Download Submit
C:\Users\Admin\AppData\Local\Temp\RAYi.exe

Filesize
437KB

MD5
887f95daa1cb53e8a0a4b02ec254a82c

SHA1
c58b00b1862fabc247c201b23237c26708c80602

SHA256
14a9571eecefac155b038d3072d6aed1fb5b7db42bff7fb9d330134496b55395

SHA512
78a37bc1786fee295e04900dc54d6cac9cea22d32224ba2f3fbe2b466b088d4c39752f3d606b190882101cf1426daae181a2f706dd92280fcd3b08bfb7a9843b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SgAe.exe

Filesize
6.2MB

MD5
18af80316ad34e1998d879decbb17c84

SHA1
459497155e9b122f081395a9511c8d5e38909814

SHA256
3f2a836bd3a97741b317ac8223e5f0c92c212688a2e7137f727f61d5c9226398

SHA512
7c4c0ac3bef8aeb359da121221a4ed77d5a2d59b45beb936bd42e55a3777924e95d6c9f0d552dbfbd35dc25eb777ebd547038743dc7f9043052a9b5f9d8c427c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sqgo.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMUc.exe

Filesize
436KB

MD5
76266b05f6d445d4d03a7034d085393c

SHA1
f23321f09a53eeca4c18f9dadd042d321a446b6f

SHA256
244be3629fd0038e83899f674582461ab8374f71ac5609c6e8786ebb2759b4f2

SHA512
8ad9f743e1754e3eeff49d5b50d57eb4ea4708a0e09b270ce93cda66518781076cebb9933e2e78585025a6f46f6e5fea10d262c9b3edb34f394c2aadb274bd64

Download Submit
C:\Users\Admin\AppData\Local\Temp\UcEu.exe

Filesize
887KB

MD5
1b1e991e636c1161d34ac7c689859919

SHA1
5e0988ba5343c6cbb3cf83fe843dce906803e3c7

SHA256
50f9fbeb98fa68d30bb47f9f16350b770cf338de631cdd1b87654fc4d4274a5e

SHA512
9fc25b4d498c82ebc7f57071b2b4924073c76ccaa11740b94699434cb6d9ca7fcee88a452d504e7629114175d4b5e39698099638fea62762aa9660eedf5d2d70

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uokq.exe

Filesize
440KB

MD5
966d9e3d58f4067f2cf6afdc64af2484

SHA1
af776d06b9b736af1b9d7ddedc1599b77d241f5d

SHA256
dda4bf51060d5ba3284e19e1d7a052a7e9b479113afb049698cf42d3583f6821

SHA512
2adf173e16fa9790150600d1be3776868ac72a51773c84c8ca4910d2d65cfe1f7c3a53fe12bf68ed79a846464e0772edf285e563ab2914d237a5da5bc7c9229f

Download Submit
C:\Users\Admin\AppData\Local\Temp\VAYM.exe

Filesize
475KB

MD5
6143fdcd1812c64d1bbbdfe6ef404c03

SHA1
b7295b30fb92fab4dca859c3c8d6196cecc89cfd

SHA256
a0798b0e02bcb1afc75d9296733980df0239e31656acfe0ec0bc53df01287739

SHA512
6019bee34366d53c6549a07802ddb1e878df088973c1555f35c8ee393d2e0a19bf4d3c17f480bc840f973d5336ca459f6beef3ff734ad379ca94a86dafcb8aae

Download Submit
C:\Users\Admin\AppData\Local\Temp\VIIy.exe

Filesize
2.0MB

MD5
e3ee2352f7dc4c77e0deaf26df1dc42a

SHA1
15ceae24d45f0b1c7901ae507427e75982ccbc44

SHA256
a09d487a493b03bcfc67ea3cad7088c6abab30ee994cbdbc9ec8bc4170d0fa43

SHA512
ac1d9ffbda0fdf045c9adf5639f04e00aacee67cdeb65ec222cb5777e8783463b3b345e7f23ebc0ee092abecf107611079b0b98cf7361d02bc9a8308b0da3fb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\WEIG.exe

Filesize
438KB

MD5
86f8ce74cfef88557877b8e0ce09fc55

SHA1
02c04ca4db3cf717d82f7b503addeee3b859d2bb

SHA256
f9ca57c0a5a103c8f7efd06b4716ccc86e3dfd63c8b09633203975dea4a1ed16

SHA512
0b1d24c958bb24abc023b6b6585806b0ff518fc93e0dc0aa4321721be5430cb312fff5a76f87da8a66297e33f199a32e106ade233c2aafe44f48d4690f145260

Download Submit
C:\Users\Admin\AppData\Local\Temp\WIIs.exe

Filesize
442KB

MD5
f18c03579893fd716902b43abba83d7a

SHA1
49ebecd1e016575f0fce703ef44c2617e8c250cb

SHA256
0426889c195f010fbe55d6977498d619e1eedfa03fff467f2def3eadd9d13764

SHA512
34a89244f13632b9cf32132e490249a2e46a8b664f744bbd86e899114ad33067852effffb617d9b5aee1164a979099742f3a0ff9b03648c69993f305b87b44b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XUgw.exe

Filesize
562KB

MD5
5b43a1467e7d1bab0810298d9cda5434

SHA1
179283683642a05c75b7126902f8cc5435a661a4

SHA256
3c58984a8fd8852ff6c95ebd6693846180bc654f29450d0b53f39072e7cb8a99

SHA512
51681c338555f620876cf818df27785ff10cc81436907d16f76f67a774edf4e5227bb62bf72094e6cc71fb74852b142f4c3262d7850681e3364402a73bd63f05

Download Submit
C:\Users\Admin\AppData\Local\Temp\YMQA.exe

Filesize
442KB

MD5
12db433bd4d978ef4834914cd9b3a653

SHA1
28d75152ea45be753245ccef49b133962df757ac

SHA256
87e17d940c4aeb7dc972a71e98833dd2753c18e60c89452fa5836bb65900cb3a

SHA512
c1610e461e5a1f7e73b01dc0f311e70946df9b5ce8481ee20521f2548b79b742982e68c4e5e9bb0b5cf3dedbb30c1f4970e253f619aec7b349ca7d0d3f67b1d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\aIQu.exe

Filesize
435KB

MD5
93194fbc7dd732e97f104dd55b788e37

SHA1
1e72788532afed89516a97e76abc0f5b8a73fe5d

SHA256
4c877b95d1e7a5c359dc97de51d01bd425f6de7fcbad0a07d88c299a595a6009

SHA512
da14385c7724136b7187ed6c4fd1202c629388aac95c0dfdd758ef62448dbbf6d7f452b539cf297c3bde89e847506f50909659a1cc82497923aa99008515bbeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQse.exe

Filesize
456KB

MD5
14d21c3d901846abc5ec07d5b7964e27

SHA1
0ac470ca48ccb4f15a1bcca606124ec1491d8087

SHA256
fb4b64b1dbc342cb3585ae9389bde44984ec9f358ec2a2fcf952618f95911259

SHA512
0994f8b2a6684d97c2dd13858cf0b0b84ea1339a36f0852c9f36e9dfbb8eb33b84da7fcc6ccf098315fe4560346ff0a0d3736434f8fae29300ffb09e44b9b190

Download Submit
C:\Users\Admin\AppData\Local\Temp\akQs.exe

Filesize
446KB

MD5
ad46398993c2626e9e17f2a841accac3

SHA1
f3277d63a65ee4d987f2e6593322ad5a46064070

SHA256
8d36207ebfaeed7e875773e3bd6d608208c2e0e7fbcc772f68d063a2012cdee3

SHA512
b21eeb5f1c16d764968902de24e1ff5a223e4ef2fcc7f75006834a326f2b10c687caca9118bdf27f6abe44d634860ca605dc89e1f7334886414f2632bb952803

Download Submit
C:\Users\Admin\AppData\Local\Temp\cYMk.exe

Filesize
1.0MB

MD5
8ba2eb7de472a2fdfeaad9e9098d8f96

SHA1
4e3a8ef98567ebaad23306cf98bff9c597a4e772

SHA256
58dc3f664905be9df68b0ecfa5ac6825b65ee8062e14d700d32a571af726dc74

SHA512
7e861b7e52f7394e941b3c49dcf0d83fe5fe57250b17f29f529e3d49cba302837ecf09a84457ee69c41676063033c7b90ec7797d37bdebc467d84b9b0dabab7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\csoo.exe

Filesize
434KB

MD5
d8daf6f01b4831840999b56a71674e0b

SHA1
c45b0f18dc1036ba5c4268b9561e6281d976cdeb

SHA256
2291c94aa5c86aafd7554746df983ced1783472eaf2136d3277ca7e1fec4b649

SHA512
0125cf71dcf1805b6c849d4f65fad72da6f11e08f0345f457436a95f4738384d67554ea005ce2e7a2b07b4e108977a9ab92d396db11968b27f037d9e9e21fb16

Download Submit
C:\Users\Admin\AppData\Local\Temp\eSQsgAAI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\fEQK.exe

Filesize
559KB

MD5
f600eab0c98083cb9ede1fc02f601778

SHA1
6560f68f0a540ccbb234beb84b299050369db652

SHA256
747e2e31b50c51a7693e34e4f8390f80197eca9799a2d39309e4fc5603437f71

SHA512
ab9b3091be5f29b5a0bda94f882db1bb66f18563aa1e00085b8c4eb691e68af7a40910cb4d4c690c491d432599af1a6784cc8bfb3715c56973f37c7ec768348c

Download Submit
C:\Users\Admin\AppData\Local\Temp\fffa4c215f0dd3181e3e6f721880c1c0

Filesize
48KB

MD5
d342c2b5f3d16dc992db22cb737ad617

SHA1
615a98744fb22809454b706174597a4d6b6d128b

SHA256
0618d6fc5a05288bb126eb258fccfe7697e194022a57206671a172a39bc5e486

SHA512
4f773f0cb331d46e54f89db7af96be8cd72689cd85d6698d9737052ca088c30e9bc4064cefc277ab7b65b76787735956702f6c7b8f048cabe46c2117107953d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwYg.exe

Filesize
436KB

MD5
7f41959464a4e3e4942b671b230cab64

SHA1
f694c382d98a5f5dc618b20715d69c0d6633c943

SHA256
f0871d91a77034044bf7b9a679397cf964745325902b3e6ec7a35116cd561489

SHA512
fedd62fb7b664582eea80286785800d308e6e1ff9b1ff7d81b297399a53ca045d1a851c94c15e3533a54285acdacca879a66ccc8204b2402087661f6ec1208dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\hoMQ.exe

Filesize
445KB

MD5
cedd2f65403aa4f8c6c4ecb6ada9c370

SHA1
c468beddceebe98e71215408189d0f63057c3833

SHA256
8bffd8a5555519afe054af06cfde621f0eee6070170a47cc68091ffdaa3d8c8f

SHA512
5daf83ab117749bf25c3b38ddb86f70c98b90e8bad877fff15bad24692f040076e53a9c08f1d84dc8203ad0e1cad816143abf10681f8e88388dcdfc3253451a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\jAQY.exe

Filesize
437KB

MD5
ff6fcb9f4adf1268e1eeccf280f61ee8

SHA1
a798a373eb276d065baff986c5ddc2b8a7caec0b

SHA256
5306b01bcc9d6045d02d1247b04718811fe8bea5681db5da1e0b1cb91866bd54

SHA512
0386fe58b51674f5752fde9ce9a9570ca58b505514e16a2d098118baab4ef51a9c53ef43c9e45ccd03659ad97701d5c8649a1c739a1c525cc26d17471e443cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\jIMO.exe

Filesize
436KB

MD5
692e816390ff585cb2c4fb96ae06874f

SHA1
3398b44bcfc731bf90f0db8dad6ba7d9b03eb80e

SHA256
1ec83a64805e4daec458b970c8e9c2c957e3cbbd85e5e8a46743594c7d959408

SHA512
6d272f3d454a74c2a63caf052365b400da2289b6a8445437e4447d93c10d7f0cb4aee716658ed141607663c1c45a2a7d6535997bd6ce1becf54f5dfd1ede19bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\lEoY.exe

Filesize
434KB

MD5
f932367f55d9fc7056d347fa59b1a02b

SHA1
14f17f6a36f04a6d8bfe6dfd74fd422c2831667b

SHA256
78fbe0406e34c76e63502a7df75850a6f54f33c183048f32968f5a99299e707a

SHA512
a5bfeb0baacc9e27d6ddf36decbdf8f8a3b899a6f1243c6f8b85e1dd272be9773e6c19877ced4786e2217827f96d3e4f8976587629f5d96a4445f4097c26e98a

Download Submit
C:\Users\Admin\AppData\Local\Temp\lIUY.exe

Filesize
439KB

MD5
8c9d2f37b5a4e5aee6a57d31410cc919

SHA1
9bc255430fb6c787d2f5ca8528944c9648156bdd

SHA256
db34adbe78c1a96b8013a395dcfc846a750d11b8fefe2707b365464e9434dbcb

SHA512
39444a7191a117d021fb0b618e6c6bde4cfbff406ac4f0b495e4cb8894fe68e7fe3dacb754ce1687c74bed35243c36defbd7895426c8c709cbbd91ab8057aace

Download Submit
C:\Users\Admin\AppData\Local\Temp\lwEa.exe

Filesize
438KB

MD5
301f82a685739ac94bd902842654842a

SHA1
568c14c8aaa5e3c4c1999744bb536bd81eeb0364

SHA256
0c1c12f268f634a3dbe49814494a8ab34c3e1b9b771f4d8187e9c6f6fe9fc076

SHA512
85f6822dd135d72010d8b8c41cfcff403f01990cda28902557d73162033785bcd6bd213d338e7360b0e3ab99cf7b130d5783b86d8b471167b0259e929ff30794

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQoG.exe

Filesize
1.0MB

MD5
a678ec80bff2970212d4b670d70d5902

SHA1
7478137b0b3d4d74a5352232e2a2ac0ade18285c

SHA256
b8e947772a66fe5d6e90b3f3485242e4a26ccf2014ad648e2bdec12df29d3a4d

SHA512
0c793d772ef4a06ac80e8d749ec7180adf49a295e1d0873a27bbb3362f1e1d76a6d2f8a48755e70a97ab1d4086447e1368c16bbfad642eb8da15d1ca3dd7825b

Download Submit
C:\Users\Admin\AppData\Local\Temp\oAQa.exe

Filesize
810KB

MD5
ce59f74e046df2aca021b01c40df83d0

SHA1
430a9fc1f4356fc84ef1db7a203ed97dbb1a874c

SHA256
62de3ff2331209cf13ac9bbd294d07eda38f1cbe630e7958a9dc045c49635d2e

SHA512
b58b14db7f7ac86506b3847164f3382fa7b2f352660250e3f4e3a96c1b1e4a1cc7616df9e79437d13deed42d24d1178f7792329335eef200338ab8ebf55a49b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\pMsG.exe

Filesize
463KB

MD5
bea091ea0edb1635fff63310b8ec27ab

SHA1
a14a2bea155cad83832decdb5393fc5bee9cd7d3

SHA256
675e964e2bc420f8530429f6eb40432b646418eda9117bd45c7c231cc7dce329

SHA512
3bb52c743bdc1cb8d3d82e9b176b0346621955bb2efaa057af00e343dfb7fe2f9bb7238815b1a6f7c61d77a945129a2d12bc8d509f22ae3fe2c81320d7db5252

Download Submit
C:\Users\Admin\AppData\Local\Temp\pYEm.exe

Filesize
438KB

MD5
3009bd1700162e6931667b1914eebb22

SHA1
c720c00f35342178598bf4ddef89310c8c5d822b

SHA256
214392406bba37a7eaf8fc30fdbb41e9f0a4d77cf14d91b391f4112092a313d6

SHA512
64812e8d216b44732ec516276d4c531f8679e39396fb92999480a45ab83e231dc583fae12a52bf7bc83fb4ade0a107afd79be4e7f3d68e46f6536805ecfdddd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcMW.exe

Filesize
674KB

MD5
b4f3fcc522b4f70022f86bd137a54610

SHA1
86e8ed0450d6b368810a9e327c96f1af708dcbe1

SHA256
0949473c9daa3cd3f7e6c450e83d984c0021952d1b90d494aaa6b9dc67cb2c20

SHA512
bd4e1778cd36bf26a2f1c7f1548979b2bc38797529cb7943ff83fab5f20a6021cd2072eb8d6edf9ba594539df66cd9d44b99cd60866473d9effa266ed20dbedb

Download Submit
C:\Users\Admin\AppData\Local\Temp\qAos.exe

Filesize
432KB

MD5
bc7886b0624b633a1176d7329d741c59

SHA1
d013b2db2f5255acf07970bfa227dbd4b9d6f844

SHA256
fa61f4162c95c4777a3c6cde2a40e0d9a86937e400319dd9002e3748d007c636

SHA512
643104c02855dab374d0052c92706cce7beeb0b4ee6bac0a3d8e185fc36afd4af48f0f0cd5227651fbefa922f1a61a609085fe279dac66985075193ed35d58f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\qSYo.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\qswC.exe

Filesize
436KB

MD5
5909c62647a943487554986597306a3e

SHA1
f7fa977ea2652b7dca94b03da053e8b83d88c255

SHA256
2296914a44185218e68d84602279b3c03faf531057098555d0ae8c6be5c01c10

SHA512
4b00cce11b34e2f49a33baa83ea232c8ed93ab677dd04e05c44b59bcd1713471e683f5fb2365136def0581aad611c4dd2df87f395075e9b8a955beb0c8044293

Download Submit
C:\Users\Admin\AppData\Local\Temp\sMEw.exe

Filesize
443KB

MD5
8e8c4ff53182d0c38d96bb213c934c50

SHA1
697a3c35fd45e321e58b4b1d0499b514b3630a44

SHA256
b4a83c52d13bfb99241c745f6c8ddcea0834262cd7f44a52c19a4bc61d13a6db

SHA512
e33e3ce8c0e9e49186d74e04e9798976686fc72dace446aed578547e04e957047e02b1db560267b069e4fc3fa232fa35e7de6eb4e2d780aeefe363ea70a2a7ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\uAUU.exe

Filesize
439KB

MD5
ad38b969fdf03bf3306f0956c83b1fc5

SHA1
9ef25c9860a547c5b18351631c8b5e09159b4e81

SHA256
a0445ca80f5b437042107a410f719e0b85068e4e7b096a21a3f200fd50512980

SHA512
dc6998c25629a45ac16dbc21ada659a56a51e0276b44cd913c5b8abd6032116a23edf60bd7d7f507dad4e9c6e45b859f029d396a92a6d11e9134613c923d8220

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwIc.exe

Filesize
441KB

MD5
28582cdbc25f677be9a31b9243275559

SHA1
8dcf71ee24847be8597c147b26f968dccdb12b13

SHA256
6a954b5f836281b9bdd2033948742d1d66041daada977c6c77e2d499d49e073c

SHA512
4596769ef5f696aecba9878fa36dac63ea3b179f7047b8f7cc0df4cff6d15fb61b9c37843fb753b68db0444a51ee314a41e21b0cdb5c9ea8da8afde83434cad7

Download Submit
C:\Users\Admin\AppData\Local\Temp\wooK.exe

Filesize
887KB

MD5
dd9588fadb1a2b5023ad63df057627c5

SHA1
a17ebf42eddbb872ef0bee55b4aa00d864c4298f

SHA256
58991838d42991e8af6919283ec212b148fd24e8f093cf400b814d032f9f79bc

SHA512
4d1b705992375218e39179719093226f4f72859ab87297359df07d4e49f8b8f08bf537da807d11b779eac180673406eb124bd89749abc33ab2a09d733d415bbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsga.exe

Filesize
471KB

MD5
0f7bdb0bb7fe7b12a97fe01d653c68ef

SHA1
3d94aaa3643502331a1e631d880274f1c23124c9

SHA256
ea86884051fa0d55ab499537a559e9131cfcdf2c2db690fc1ee1f5fb329f7fb6

SHA512
94883a9747a618b22260fd1799521aa7d0f7ccf1058a9d6c0f4ce7dcdcde81b13e271508e4fc3cad93ee600ccb93e9e8f06bca5f0bbe55800e267ca1e139b104

Download Submit
C:\Users\Admin\AppData\Local\Temp\ycwi.exe

Filesize
445KB

MD5
fd862fc225a23002a1d2dda139477652

SHA1
d7b68957c4aa086612f00a435ca2139cd42b8d78

SHA256
44cfbf6f3a1c98c73634cf2cd2489c015664acbbd37931ad8742ec7df39ea014

SHA512
9bddd08e1927991796d83ff749f973f4dd67b82d088ece9c1bf3af6170960490c5b000d28b22078fd336c5be4a6b5759d3950f71fcc75792bdb826f0bb1b9958

Download Submit
C:\Users\Admin\AppData\Roaming\MountUnpublish.pptx.exe

Filesize
2.0MB

MD5
b9c4bb5ab915ebf9dabda65c766798ec

SHA1
c20a25fa188f923c436ffb3cd1ea2e3a9ead3112

SHA256
7c0735e1b18dcacfcfbce70a03ba11a2a9626b30dd56eff9b4502eff9d1c0a48

SHA512
ac97b67dfcf18b7bc61f3b2784eda2adc4f866a2ce2bd4cf53c4d41cfb6d17e73d1acac377041067cec1e290b954cd5968bedf858e3cdbacca80cad584fd3e12

Download Submit
C:\Users\Admin\WgcMQsQQ\CSUIMgwU.exe

Filesize
433KB

MD5
87965a4908a6730533c1e7663a84a79a

SHA1
492eb98cff11086646e601457d4eb684df42a884

SHA256
3058bfee79db064a330f42e2fd6fca6e568d8a437dfbceac0bb15f456ee2bba7

SHA512
45088f7eedea305d6213842a32094156c476e0faeeaee6a6d6aaca925ce2692dd22f00892f19c3949e6847266e2cd517025d9fa09b8c491ee89de640c005b61e

Download Submit
memory/60-399-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/60-392-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/560-306-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/560-259-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/776-57-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/776-65-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1048-650-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1048-657-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1244-28-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1244-44-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1664-69-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1664-77-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1800-53-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1800-43-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1824-227-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1824-216-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2276-345-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2276-311-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2348-191-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2348-180-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2380-17-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2380-134-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2508-382-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2508-373-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2880-90-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2880-499-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2880-0-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3172-440-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3332-78-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3332-89-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3420-116-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3420-12-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3616-106-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3616-6-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3648-140-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3648-153-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3672-423-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3672-401-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3688-439-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3784-168-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3784-179-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3836-251-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3836-240-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4004-45-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4004-22-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4088-438-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4088-215-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4088-204-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4148-371-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4148-346-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4372-194-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4372-203-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4484-383-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4484-391-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4692-115-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4692-107-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4888-126-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4888-117-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4964-102-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4964-91-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5020-634-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5020-618-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5080-228-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5080-239-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download