fb0e1a5a8ce0287140caa53c632cde2d111014e14b7f42b8fae5b287aaa3736b

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
29/05/2024, 16:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MENU.bat
Size

183KB
MD5

7d5957e6a5bb4c3ca187deea5ae7ccb6
SHA1

8ab3d729aa3a4b8b65bc7c55c20584f7f051c08d
SHA256

5fc67423b7525b9daf0c2cbd454206e2db1ca167c8fd6b8e390caae8797a6352
SHA512

782a687c23c5ff9c1472ba88a8e4f2bc9f2e6b268c4286eb7581e95cd42f00cf9761b025027773edef849fad542fdbb986c96b46489811c9441106e308310730
SSDEEP

3072:mA/9obuPb1dhnWpGy+9l1NRldjayM4m1EPBPbuE1m7:LFobuPb1yR+9l1NRldjbM4m1EZPbuE1G

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2900-0-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2900-1-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/3052-2-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/1760-3-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/1596-4-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/1596-5-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/1224-6-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/1236-7-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/1188-8-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/1128-9-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2412-10-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2496-11-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2704-12-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2536-13-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2536-14-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/992-15-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/992-16-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2692-17-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/376-18-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/1540-19-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/840-20-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/840-21-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/752-22-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/1452-23-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/1452-24-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/1736-25-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/796-26-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/1648-27-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2344-28-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/1556-29-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2340-30-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2340-31-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2112-32-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2112-33-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2764-34-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2764-35-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/1232-36-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2244-37-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2348-38-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2780-39-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2780-40-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2856-41-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2856-43-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/1108-44-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/1108-45-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2168-46-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/868-47-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/3044-48-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/3056-49-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2156-51-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/1696-52-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/1256-53-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2328-54-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/948-55-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/1536-56-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/1888-57-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2276-58-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/304-59-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/304-60-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/1600-61-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/1600-62-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/736-63-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/736-64-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/1896-65-0x0000000000400000-0x0000000000416000-memory.dmp	upx

Modifies registry class 34 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\regconvert\shell	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\regconvert\shell\002	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\Library Location	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\regconvert\shell\001	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\pintohome\command\DelegateExecute = "{b455f46e-e4af-4035-b0a4-cf18d2f6f28e}"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\regconvert\Position = "Middle"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\regconvert	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\regconvert\SubCommands	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\regconvert\shell\002	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\regconvert\shell\002\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\Library Location	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\pintohome\MUIVerb = "@shell32.dll,-51377"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\regconvert	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\regconvert\MUIVerb = "Convert to .bat"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\regconvert\shell\001\MUIVerb = "RegFile => BatFile"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\regconvert\shell\001	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\Library Location	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\regconvert\shell\001\Icon = "%SystemRoot%\\System32\\imageres.dll,63"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\regconvert\shell\001\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Work\\RegToScript.exe\" /bat \"%1\" %1.bat"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\regconvert\shell\002\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Work\\RegToScript.exe\" /bat /rh \"%1\" /clbrd"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Folder\shell\pintohome	reg.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Folder\shell\pintohome	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\Library Location\ = "{3dad6c5d-2167-4cae-9914-f99e41c12cfa}"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\regconvert	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\regconvert\shell\002\Icon = "%SystemRoot%\\System32\\imageres.dll,241"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\regconvert\shell\002\MUIVerb = "RegFile => В буфер"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\pintohome\AppliesTo = "System.ParsingName:<>\"::{679f85cb-0220-4080-b29b-5540cc05aab6}\" AND System.ParsingName:<>\"::{645FF040-5081-101B-9F08-00AA002F954E}\" AND System.IsFolder:=System.StructuredQueryType.Boolean#True"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Folder\shell\pintohome\command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\regconvert	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\regconvert\Icon = "regedit.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\regconvert	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\regconvert\shell\001\command	reg.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 64 IoCs

pid	Process
2900	cecho.exe
3052	cecho.exe
1760	cecho.exe
1596	cecho.exe
1224	cecho.exe
1236	cecho.exe
1188	cecho.exe
1128	cecho.exe
2412	cecho.exe
2496	cecho.exe
2704	cecho.exe
2536	cecho.exe
992	cecho.exe
2692	cecho.exe
376	cecho.exe
1540	cecho.exe
840	cecho.exe
752	cecho.exe
1452	cecho.exe
1736	cecho.exe
796	cecho.exe
1648	cecho.exe
2344	cecho.exe
1556	cecho.exe
2340	cecho.exe
2112	cecho.exe
2764	cecho.exe
1232	cecho.exe
2244	cecho.exe
2348	cecho.exe
2780	cecho.exe
2856	cecho.exe
1108	cecho.exe
2168	cecho.exe
868	cecho.exe
3044	cecho.exe
3056	cecho.exe
2156	cecho.exe
1696	cecho.exe
1256	cecho.exe
2328	cecho.exe
948	cecho.exe
1536	cecho.exe
1888	cecho.exe
2276	cecho.exe
304	cecho.exe
1600	cecho.exe
736	cecho.exe
1896	cecho.exe
2852	cecho.exe
1968	cecho.exe
2956	cecho.exe
2128	cecho.exe
1432	cecho.exe
604	cecho.exe
2848	cecho.exe
2292	cecho.exe
1552	cecho.exe
1628	cecho.exe
888	cecho.exe
1428	cecho.exe
3008	cecho.exe
2468	cecho.exe
2512	cecho.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3040	WMIC.exe
Token: SeSecurityPrivilege	3040	WMIC.exe
Token: SeTakeOwnershipPrivilege	3040	WMIC.exe
Token: SeLoadDriverPrivilege	3040	WMIC.exe
Token: SeSystemProfilePrivilege	3040	WMIC.exe
Token: SeSystemtimePrivilege	3040	WMIC.exe
Token: SeProfSingleProcessPrivilege	3040	WMIC.exe
Token: SeIncBasePriorityPrivilege	3040	WMIC.exe
Token: SeCreatePagefilePrivilege	3040	WMIC.exe
Token: SeBackupPrivilege	3040	WMIC.exe
Token: SeRestorePrivilege	3040	WMIC.exe
Token: SeShutdownPrivilege	3040	WMIC.exe
Token: SeDebugPrivilege	3040	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3040	WMIC.exe
Token: SeRemoteShutdownPrivilege	3040	WMIC.exe
Token: SeUndockPrivilege	3040	WMIC.exe
Token: SeManageVolumePrivilege	3040	WMIC.exe
Token: 33	3040	WMIC.exe
Token: 34	3040	WMIC.exe
Token: 35	3040	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3040	WMIC.exe
Token: SeSecurityPrivilege	3040	WMIC.exe
Token: SeTakeOwnershipPrivilege	3040	WMIC.exe
Token: SeLoadDriverPrivilege	3040	WMIC.exe
Token: SeSystemProfilePrivilege	3040	WMIC.exe
Token: SeSystemtimePrivilege	3040	WMIC.exe
Token: SeProfSingleProcessPrivilege	3040	WMIC.exe
Token: SeIncBasePriorityPrivilege	3040	WMIC.exe
Token: SeCreatePagefilePrivilege	3040	WMIC.exe
Token: SeBackupPrivilege	3040	WMIC.exe
Token: SeRestorePrivilege	3040	WMIC.exe
Token: SeShutdownPrivilege	3040	WMIC.exe
Token: SeDebugPrivilege	3040	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3040	WMIC.exe
Token: SeRemoteShutdownPrivilege	3040	WMIC.exe
Token: SeUndockPrivilege	3040	WMIC.exe
Token: SeManageVolumePrivilege	3040	WMIC.exe
Token: 33	3040	WMIC.exe
Token: 34	3040	WMIC.exe
Token: 35	3040	WMIC.exe
Token: SeDebugPrivilege	2784	TrInstaller.exe
Token: SeIncreaseQuotaPrivilege	1924	WMIC.exe
Token: SeSecurityPrivilege	1924	WMIC.exe
Token: SeTakeOwnershipPrivilege	1924	WMIC.exe
Token: SeLoadDriverPrivilege	1924	WMIC.exe
Token: SeSystemProfilePrivilege	1924	WMIC.exe
Token: SeSystemtimePrivilege	1924	WMIC.exe
Token: SeProfSingleProcessPrivilege	1924	WMIC.exe
Token: SeIncBasePriorityPrivilege	1924	WMIC.exe
Token: SeCreatePagefilePrivilege	1924	WMIC.exe
Token: SeBackupPrivilege	1924	WMIC.exe
Token: SeRestorePrivilege	1924	WMIC.exe
Token: SeShutdownPrivilege	1924	WMIC.exe
Token: SeDebugPrivilege	1924	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1924	WMIC.exe
Token: SeRemoteShutdownPrivilege	1924	WMIC.exe
Token: SeUndockPrivilege	1924	WMIC.exe
Token: SeManageVolumePrivilege	1924	WMIC.exe
Token: 33	1924	WMIC.exe
Token: 34	1924	WMIC.exe
Token: 35	1924	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1924	WMIC.exe
Token: SeSecurityPrivilege	1924	WMIC.exe
Token: SeTakeOwnershipPrivilege	1924	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1616 wrote to memory of 2620	1616	cmd.exe	29
PID 1616 wrote to memory of 2620	1616	cmd.exe	29
PID 1616 wrote to memory of 2620	1616	cmd.exe	29
PID 1616 wrote to memory of 2760	1616	cmd.exe	30
PID 1616 wrote to memory of 2760	1616	cmd.exe	30
PID 1616 wrote to memory of 2760	1616	cmd.exe	30
PID 1616 wrote to memory of 1708	1616	cmd.exe	31
PID 1616 wrote to memory of 1708	1616	cmd.exe	31
PID 1616 wrote to memory of 1708	1616	cmd.exe	31
PID 1616 wrote to memory of 2304	1616	cmd.exe	32
PID 1616 wrote to memory of 2304	1616	cmd.exe	32
PID 1616 wrote to memory of 2304	1616	cmd.exe	32
PID 1616 wrote to memory of 3068	1616	cmd.exe	33
PID 1616 wrote to memory of 3068	1616	cmd.exe	33
PID 1616 wrote to memory of 3068	1616	cmd.exe	33
PID 1616 wrote to memory of 3040	1616	cmd.exe	34
PID 1616 wrote to memory of 3040	1616	cmd.exe	34
PID 1616 wrote to memory of 3040	1616	cmd.exe	34
PID 1616 wrote to memory of 2576	1616	cmd.exe	35
PID 1616 wrote to memory of 2576	1616	cmd.exe	35
PID 1616 wrote to memory of 2576	1616	cmd.exe	35
PID 1616 wrote to memory of 2584	1616	cmd.exe	37
PID 1616 wrote to memory of 2584	1616	cmd.exe	37
PID 1616 wrote to memory of 2584	1616	cmd.exe	37
PID 1616 wrote to memory of 2816	1616	cmd.exe	38
PID 1616 wrote to memory of 2816	1616	cmd.exe	38
PID 1616 wrote to memory of 2816	1616	cmd.exe	38
PID 1616 wrote to memory of 2716	1616	cmd.exe	39
PID 1616 wrote to memory of 2716	1616	cmd.exe	39
PID 1616 wrote to memory of 2716	1616	cmd.exe	39
PID 1616 wrote to memory of 2728	1616	cmd.exe	40
PID 1616 wrote to memory of 2728	1616	cmd.exe	40
PID 1616 wrote to memory of 2728	1616	cmd.exe	40
PID 1616 wrote to memory of 2444	1616	cmd.exe	41
PID 1616 wrote to memory of 2444	1616	cmd.exe	41
PID 1616 wrote to memory of 2444	1616	cmd.exe	41
PID 1616 wrote to memory of 2152	1616	cmd.exe	42
PID 1616 wrote to memory of 2152	1616	cmd.exe	42
PID 1616 wrote to memory of 2152	1616	cmd.exe	42
PID 1616 wrote to memory of 2552	1616	cmd.exe	43
PID 1616 wrote to memory of 2552	1616	cmd.exe	43
PID 1616 wrote to memory of 2552	1616	cmd.exe	43
PID 1616 wrote to memory of 2736	1616	cmd.exe	44
PID 1616 wrote to memory of 2736	1616	cmd.exe	44
PID 1616 wrote to memory of 2736	1616	cmd.exe	44
PID 1616 wrote to memory of 2472	1616	cmd.exe	45
PID 1616 wrote to memory of 2472	1616	cmd.exe	45
PID 1616 wrote to memory of 2472	1616	cmd.exe	45
PID 1616 wrote to memory of 2812	1616	cmd.exe	46
PID 1616 wrote to memory of 2812	1616	cmd.exe	46
PID 1616 wrote to memory of 2812	1616	cmd.exe	46
PID 1616 wrote to memory of 2524	1616	cmd.exe	47
PID 1616 wrote to memory of 2524	1616	cmd.exe	47
PID 1616 wrote to memory of 2524	1616	cmd.exe	47
PID 1616 wrote to memory of 2460	1616	cmd.exe	48
PID 1616 wrote to memory of 2460	1616	cmd.exe	48
PID 1616 wrote to memory of 2460	1616	cmd.exe	48
PID 1616 wrote to memory of 2944	1616	cmd.exe	49
PID 1616 wrote to memory of 2944	1616	cmd.exe	49
PID 1616 wrote to memory of 2944	1616	cmd.exe	49
PID 1616 wrote to memory of 2572	1616	cmd.exe	50
PID 1616 wrote to memory of 2572	1616	cmd.exe	50
PID 1616 wrote to memory of 2572	1616	cmd.exe	50
PID 1616 wrote to memory of 2484	1616	cmd.exe	51

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\MENU.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1616
- C:\Windows\system32\chcp.com
  chcp 866
  2⤵
  PID:2620
- C:\Windows\system32\reg.exe
  reg query "HKU\S-1-5-19"
  2⤵
  PID:2760
- C:\Windows\system32\mode.com
  Mode 81,37
  2⤵
  PID:1708
- C:\Users\Admin\AppData\Local\Temp\Work\nircmd.exe
  nircmd win center foreground
  2⤵
  PID:2304
- C:\Users\Admin\AppData\Local\Temp\Work\nircmd.exe
  nircmd win settext foreground "CMEditor"
  2⤵
  PID:3068
- C:\Windows\System32\Wbem\WMIC.exe
  wmic os get caption /Format:List
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3040
- C:\Windows\system32\find.exe
  find /i "11"
  2⤵
  PID:2576
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\CLSID\{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"
  2⤵
  PID:2584
- C:\Windows\system32\reg.exe
  reg query "HKCR\Folder\ShellEx\ContextMenuHandlers\Library Location"
  2⤵
  PID:2816
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Folder\shell\pintohome"
  2⤵
  PID:2716
- C:\Windows\system32\reg.exe
  reg query "HKCR\exefile\shellex\ContextMenuHandlers\Compatibility"
  2⤵
  PID:2728
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\exefile\shell\runasuser" /v "ProgrammaticAccessOnly"
  2⤵
  PID:2444
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ModernSharing"
  2⤵
  PID:2152
- C:\Windows\system32\reg.exe
  reg query "HKCR\AllFilesystemObjects\shellex\ContextMenuHandlers\SendTo"
  2⤵
  PID:2552
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\CLSID\{470C0EBD-5D73-4d58-9CED-E91E22E23282}"
  2⤵
  PID:2736
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\CLSID\{596AB062-B4D2-4215-9F74-E9109B0A8153}"
  2⤵
  PID:2472
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\CLSID\{7AD84985-87B4-4a16-BE58-8B72A5B390F7}"
  2⤵
  PID:2812
- C:\Windows\system32\reg.exe
  reg query "HKCR\*\shellex\ContextMenuHandlers\{90AA3A4E-1CBA-4233-B8BB-535773D48449}"
  2⤵
  PID:2524
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Folder\shell\opennewprocess"
  2⤵
  PID:2460
- C:\Windows\system32\reg.exe
  reg query "HKCR\SystemFileAssociations\.bmp\ShellEx\ContextMenuHandlers\ShellImagePreview"
  2⤵
  PID:2944
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\txtfile\shell\print" /v "ProgrammaticAccessOnly"
  2⤵
  PID:2572
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\DesktopBackground\Shell\Display"
  2⤵
  PID:2484
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\DesktopBackground\Shell\Personalize" /v "ProgrammaticAccessOnly"
  2⤵
  PID:2732
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\exefile\shell\runas" /v "ProgrammaticAccessOnly"
  2⤵
  PID:2492
- C:\Windows\system32\reg.exe
  reg query "HKCR\SystemFileAssociations\.jpeg\Shell\setdesktopwallpaper" /v "ProgrammaticAccessOnly"
  2⤵
  PID:2608
- C:\Windows\system32\reg.exe
  reg query "HKCR\DesktopBackground\shellex\ContextMenuHandlers\DesktopSlideshow"
  2⤵
  PID:2440
- C:\Windows\system32\reg.exe
  reg query "HKCR\DesktopBackground\Shell\Display"
  2⤵
  PID:2448
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Directory\shell\Powershell" /v "ProgrammaticAccessOnly"
  2⤵
  PID:2456
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Directory\background\shell\Powershell" /v "ProgrammaticAccessOnly"
  2⤵
  PID:2488
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Drive\shell\Powershell" /v "ProgrammaticAccessOnly"
  2⤵
  PID:2508
- C:\Windows\system32\reg.exe
  reg query "HKCR\AllFilesystemObjects\shellex\ContextMenuHandlers\CopyAsPathMenu"
  2⤵
  PID:2556
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Directory\shell\cmd" /v "HideBasedOnVelocityId"
  2⤵
  PID:2368
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Directory\background\shell\cmd" /v "HideBasedOnVelocityId"
  2⤵
  PID:2904
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0a} Зеленым {08}цветом - пункт удален; {0c}красным{08} - показывается{\n #}{\n #}
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2900
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {08} 0{#} {08}Windows 11{\n #}
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:3052
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 1{#} {0c}Предоставить доступ{\n #}
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1760
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 2{#} {0c}Добавить в библиотеку{\n #}
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1596
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 3{#} {0a}Закрепить на панели быстрого доступа{\n #}
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1224
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 4{#} {0c}Исправление проблем с совместимостью{\n #}
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1236
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 5{#} {0c}Запуск от имени другого пользователя{\n #}
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1188
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 6{#} {0a}Отправить [поделиться]{\n #}
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1128
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 7{#} {0c}Отправить [в программу]{#} {08}| {0e}70 - Дополнительные настройки{\n #}
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2412
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 8{#} {0a}Закрепить на начальном экране{\n #}
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2496
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 9{#} {0c}Восстановить прежнюю версию{\n #}
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2704
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}10{#} {0c}Отправить на устройство{\n #}
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2536
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}11{#} {0c}Закрепить на панели задач{\n #}
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:992
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}12{#} {0c}Открыть в новом процессе{\n #}
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2692
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}13{#} {0c}Повернуть право/влево{\n #}
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:376
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}14{#} {0c}Печать{\n #}
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1540
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}15{#} {0c}Параметры экрана{\n #}
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:840
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}16{#} {0c}Персонализация {#}{08}| {0e}60 - Дополнительные настройки{\n #}
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:752
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}17{#} {0c}Запуск от имени администратора {08}[bat/cmd/exe/lnk]{\n #}
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1452
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}18{#} {0c}Следующее фоновое изображение рабочего стола{\n #}
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1736
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}19{#} {0c}Сделать фоновым изображением рабочего стола{\n #}
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:796
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}20{#} {0c}Копировать как путь{\n #}
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1648
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}21{#} {0c}Открыть окно PowerShell здесь{\n #}
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2344
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}22{#} {0c}Открыть окно комманд{\n #}
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1556
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {4f}77{04} Скрыть все пункты {4f}за раз{08} [1-18] [с подтверждением]{\n #}{\n #}
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2340
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}23{#} {09}Другое{\n #}
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2112
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}24{#} {0b}Рабочий стол и значок компьютер{\n #}
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2764
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}25{#} {0b}Меню Создать{\n #}
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1232
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}26{#} {0b}Панель задач {08}[сейчас {08}стандартное контекстное меню]{\n #}
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2244
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}27{#} {0b}Win + X{\n #}
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2348
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}30{#} {3f}Проверить обновления{08} [{0e}текущая версия - {09}1.3.7{08}]{\n #}{\n #}
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2780
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\CLSID\{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"
  2⤵
  PID:2792
- C:\Users\Admin\AppData\Local\Temp\Work\nircmd.exe
  nircmd execmd TrInstaller /c nircmd execmd reg delete "HKLM\Software\Classes\CLSID\{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}" /f
  2⤵
  PID:492
- - C:\Windows\system32\cmd.exe
    cmd.exe /c TrInstaller /c nircmd execmd reg delete "HKLM\Software\Classes\CLSID\{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}" /f
    3⤵
    PID:2908
  - - C:\Users\Admin\AppData\Local\Temp\Work\TrInstaller.exe
      TrInstaller /c nircmd execmd reg delete "HKLM\Software\Classes\CLSID\{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}" /f
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2784
- C:\Windows\system32\chcp.com
  chcp 866
  2⤵
  PID:2796
- C:\Windows\system32\reg.exe
  reg query "HKU\S-1-5-19"
  2⤵
  PID:2200
- C:\Windows\system32\mode.com
  Mode 81,37
  2⤵
  PID:1572
- C:\Users\Admin\AppData\Local\Temp\Work\nircmd.exe
  nircmd win center foreground
  2⤵
  PID:2180
- C:\Users\Admin\AppData\Local\Temp\Work\nircmd.exe
  nircmd win settext foreground "CMEditor"
  2⤵
  PID:1928
- C:\Windows\System32\Wbem\WMIC.exe
  wmic os get caption /Format:List
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1924
- C:\Windows\system32\find.exe
  find /i "11"
  2⤵
  PID:2420
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\CLSID\{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"
  2⤵
  PID:2176
- C:\Windows\system32\reg.exe
  reg query "HKCR\Folder\ShellEx\ContextMenuHandlers\Library Location"
  2⤵
  PID:2380
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Folder\shell\pintohome"
  2⤵
  PID:2188
- C:\Windows\system32\reg.exe
  reg query "HKCR\exefile\shellex\ContextMenuHandlers\Compatibility"
  2⤵
  PID:264
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\exefile\shell\runasuser" /v "ProgrammaticAccessOnly"
  2⤵
  PID:664
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ModernSharing"
  2⤵
  PID:332
- C:\Windows\system32\reg.exe
  reg query "HKCR\AllFilesystemObjects\shellex\ContextMenuHandlers\SendTo"
  2⤵
  PID:724
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\CLSID\{470C0EBD-5D73-4d58-9CED-E91E22E23282}"
  2⤵
  PID:680
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\CLSID\{596AB062-B4D2-4215-9F74-E9109B0A8153}"
  2⤵
  PID:1396
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\CLSID\{7AD84985-87B4-4a16-BE58-8B72A5B390F7}"
  2⤵
  PID:1412
- C:\Windows\system32\reg.exe
  reg query "HKCR\*\shellex\ContextMenuHandlers\{90AA3A4E-1CBA-4233-B8BB-535773D48449}"
  2⤵
  PID:588
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Folder\shell\opennewprocess"
  2⤵
  PID:2824
- C:\Windows\system32\reg.exe
  reg query "HKCR\SystemFileAssociations\.bmp\ShellEx\ContextMenuHandlers\ShellImagePreview"
  2⤵
  PID:1392
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\txtfile\shell\print" /v "ProgrammaticAccessOnly"
  2⤵
  PID:568
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\DesktopBackground\Shell\Display"
  2⤵
  PID:804
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\DesktopBackground\Shell\Personalize" /v "ProgrammaticAccessOnly"
  2⤵
  PID:1808
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\exefile\shell\runas" /v "ProgrammaticAccessOnly"
  2⤵
  PID:832
- C:\Windows\system32\reg.exe
  reg query "HKCR\SystemFileAssociations\.jpeg\Shell\setdesktopwallpaper" /v "ProgrammaticAccessOnly"
  2⤵
  PID:800
- C:\Windows\system32\reg.exe
  reg query "HKCR\DesktopBackground\shellex\ContextMenuHandlers\DesktopSlideshow"
  2⤵
  PID:1716
- C:\Windows\system32\reg.exe
  reg query "HKCR\DesktopBackground\Shell\Display"
  2⤵
  PID:772
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Directory\shell\Powershell" /v "ProgrammaticAccessOnly"
  2⤵
  PID:1044
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Directory\background\shell\Powershell" /v "ProgrammaticAccessOnly"
  2⤵
  PID:1688
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Drive\shell\Powershell" /v "ProgrammaticAccessOnly"
  2⤵
  PID:852
- C:\Windows\system32\reg.exe
  reg query "HKCR\AllFilesystemObjects\shellex\ContextMenuHandlers\CopyAsPathMenu"
  2⤵
  PID:1940
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Directory\shell\cmd" /v "HideBasedOnVelocityId"
  2⤵
  PID:1944
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Directory\background\shell\cmd" /v "HideBasedOnVelocityId"
  2⤵
  PID:1756
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0a} Зеленым {08}цветом - пункт удален; {0c}красным{08} - показывается{\n #}{\n #}
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2856
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {08} 0{#} {08}Windows 11{\n #}
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1108
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 1{#} {0c}Предоставить доступ{\n #}
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2168
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 2{#} {0c}Добавить в библиотеку{\n #}
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:868
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 3{#} {0a}Закрепить на панели быстрого доступа{\n #}
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:3044
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 4{#} {0c}Исправление проблем с совместимостью{\n #}
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:3056
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 5{#} {0c}Запуск от имени другого пользователя{\n #}
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2156
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 6{#} {0a}Отправить [поделиться]{\n #}
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1696
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 7{#} {0c}Отправить [в программу]{#} {08}| {0e}70 - Дополнительные настройки{\n #}
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1256
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 8{#} {0a}Закрепить на начальном экране{\n #}
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2328
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 9{#} {0c}Восстановить прежнюю версию{\n #}
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:948
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}10{#} {0c}Отправить на устройство{\n #}
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1536
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}11{#} {0c}Закрепить на панели задач{\n #}
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1888
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}12{#} {0c}Открыть в новом процессе{\n #}
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2276
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}13{#} {0c}Повернуть право/влево{\n #}
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:304
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}14{#} {0c}Печать{\n #}
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1600
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}15{#} {0c}Параметры экрана{\n #}
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:736
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}16{#} {0c}Персонализация {#}{08}| {0e}60 - Дополнительные настройки{\n #}
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1896
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}17{#} {0c}Запуск от имени администратора {08}[bat/cmd/exe/lnk]{\n #}
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2852
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}18{#} {0c}Следующее фоновое изображение рабочего стола{\n #}
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1968
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}19{#} {0c}Сделать фоновым изображением рабочего стола{\n #}
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2956
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}20{#} {0c}Копировать как путь{\n #}
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2128
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}21{#} {0c}Открыть окно PowerShell здесь{\n #}
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1432
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}22{#} {0c}Открыть окно комманд{\n #}
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:604
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {4f}77{04} Скрыть все пункты {4f}за раз{08} [1-18] [с подтверждением]{\n #}{\n #}
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2848
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}23{#} {09}Другое{\n #}
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2292
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}24{#} {0b}Рабочий стол и значок компьютер{\n #}
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1552
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}25{#} {0b}Меню Создать{\n #}
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1628
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}26{#} {0b}Панель задач {08}[сейчас {08}стандартное контекстное меню]{\n #}
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:888
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}27{#} {0b}Win + X{\n #}
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1428
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}30{#} {3f}Проверить обновления{08} [{0e}текущая версия - {09}1.3.7{08}]{\n #}{\n #}
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:3008
- C:\Windows\system32\reg.exe
  reg query "HKCR\Folder\ShellEx\ContextMenuHandlers\Library Location"
  2⤵
  PID:2820
- C:\Windows\system32\reg.exe
  reg delete "HKCR\Folder\ShellEx\ContextMenuHandlers\Library Location" /f
  2⤵
  - Modifies registry class
  PID:1780
- C:\Windows\system32\chcp.com
  chcp 866
  2⤵
  PID:1776
- C:\Windows\system32\reg.exe
  reg query "HKU\S-1-5-19"
  2⤵
  PID:2144
- C:\Windows\system32\mode.com
  Mode 81,37
  2⤵
  PID:2620
- C:\Users\Admin\AppData\Local\Temp\Work\nircmd.exe
  nircmd win center foreground
  2⤵
  PID:1492
- C:\Users\Admin\AppData\Local\Temp\Work\nircmd.exe
  nircmd win settext foreground "CMEditor"
  2⤵
  PID:1528
- C:\Windows\System32\Wbem\WMIC.exe
  wmic os get caption /Format:List
  2⤵
  PID:1520
- C:\Windows\system32\find.exe
  find /i "11"
  2⤵
  PID:1624
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\CLSID\{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"
  2⤵
  PID:3068
- C:\Windows\system32\reg.exe
  reg query "HKCR\Folder\ShellEx\ContextMenuHandlers\Library Location"
  2⤵
  PID:2316
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Folder\shell\pintohome"
  2⤵
  PID:2632
- C:\Windows\system32\reg.exe
  reg query "HKCR\exefile\shellex\ContextMenuHandlers\Compatibility"
  2⤵
  PID:2564
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\exefile\shell\runasuser" /v "ProgrammaticAccessOnly"
  2⤵
  PID:2648
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ModernSharing"
  2⤵
  PID:3040
- C:\Windows\system32\reg.exe
  reg query "HKCR\AllFilesystemObjects\shellex\ContextMenuHandlers\SendTo"
  2⤵
  PID:2560
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\CLSID\{470C0EBD-5D73-4d58-9CED-E91E22E23282}"
  2⤵
  PID:2748
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\CLSID\{596AB062-B4D2-4215-9F74-E9109B0A8153}"
  2⤵
  PID:2744
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\CLSID\{7AD84985-87B4-4a16-BE58-8B72A5B390F7}"
  2⤵
  PID:2568
- C:\Windows\system32\reg.exe
  reg query "HKCR\*\shellex\ContextMenuHandlers\{90AA3A4E-1CBA-4233-B8BB-535773D48449}"
  2⤵
  PID:2616
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Folder\shell\opennewprocess"
  2⤵
  PID:2988
- C:\Windows\system32\reg.exe
  reg query "HKCR\SystemFileAssociations\.bmp\ShellEx\ContextMenuHandlers\ShellImagePreview"
  2⤵
  PID:2596
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\txtfile\shell\print" /v "ProgrammaticAccessOnly"
  2⤵
  PID:2752
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\DesktopBackground\Shell\Display"
  2⤵
  PID:2280
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\DesktopBackground\Shell\Personalize" /v "ProgrammaticAccessOnly"
  2⤵
  PID:2464
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\exefile\shell\runas" /v "ProgrammaticAccessOnly"
  2⤵
  PID:2772
- C:\Windows\system32\reg.exe
  reg query "HKCR\SystemFileAssociations\.jpeg\Shell\setdesktopwallpaper" /v "ProgrammaticAccessOnly"
  2⤵
  PID:2788
- C:\Windows\system32\reg.exe
  reg query "HKCR\DesktopBackground\shellex\ContextMenuHandlers\DesktopSlideshow"
  2⤵
  PID:1636
- C:\Windows\system32\reg.exe
  reg query "HKCR\DesktopBackground\Shell\Display"
  2⤵
  PID:2600
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Directory\shell\Powershell" /v "ProgrammaticAccessOnly"
  2⤵
  PID:2548
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Directory\background\shell\Powershell" /v "ProgrammaticAccessOnly"
  2⤵
  PID:2072
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Drive\shell\Powershell" /v "ProgrammaticAccessOnly"
  2⤵
  PID:2672
- C:\Windows\system32\reg.exe
  reg query "HKCR\AllFilesystemObjects\shellex\ContextMenuHandlers\CopyAsPathMenu"
  2⤵
  PID:2436
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Directory\shell\cmd" /v "HideBasedOnVelocityId"
  2⤵
  PID:2432
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Directory\background\shell\cmd" /v "HideBasedOnVelocityId"
  2⤵
  PID:2452
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0a} Зеленым {08}цветом - пункт удален; {0c}красным{08} - показывается{\n #}{\n #}
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2468
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {08} 0{#} {08}Windows 11{\n #}
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2512
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 1{#} {0c}Предоставить доступ{\n #}
  2⤵
  PID:2896
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 2{#} {0a}Добавить в библиотеку{\n #}
  2⤵
  PID:2740
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 3{#} {0a}Закрепить на панели быстрого доступа{\n #}
  2⤵
  PID:1720
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 4{#} {0c}Исправление проблем с совместимостью{\n #}
  2⤵
  PID:1760
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 5{#} {0c}Запуск от имени другого пользователя{\n #}
  2⤵
  PID:1596
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 6{#} {0a}Отправить [поделиться]{\n #}
  2⤵
  PID:848
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 7{#} {0c}Отправить [в программу]{#} {08}| {0e}70 - Дополнительные настройки{\n #}
  2⤵
  PID:1132
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 8{#} {0a}Закрепить на начальном экране{\n #}
  2⤵
  PID:1128
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 9{#} {0c}Восстановить прежнюю версию{\n #}
  2⤵
  PID:2424
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}10{#} {0c}Отправить на устройство{\n #}
  2⤵
  PID:2704
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}11{#} {0c}Закрепить на панели задач{\n #}
  2⤵
  PID:2536
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}12{#} {0c}Открыть в новом процессе{\n #}
  2⤵
  PID:992
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}13{#} {0c}Повернуть право/влево{\n #}
  2⤵
  PID:2700
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}14{#} {0c}Печать{\n #}
  2⤵
  PID:2124
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}15{#} {0c}Параметры экрана{\n #}
  2⤵
  PID:788
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}16{#} {0c}Персонализация {#}{08}| {0e}60 - Дополнительные настройки{\n #}
  2⤵
  PID:1244
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}17{#} {0c}Запуск от имени администратора {08}[bat/cmd/exe/lnk]{\n #}
  2⤵
  PID:1692
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}18{#} {0c}Следующее фоновое изображение рабочего стола{\n #}
  2⤵
  PID:796
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}19{#} {0c}Сделать фоновым изображением рабочего стола{\n #}
  2⤵
  PID:620
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}20{#} {0c}Копировать как путь{\n #}
  2⤵
  PID:2388
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}21{#} {0c}Открыть окно PowerShell здесь{\n #}
  2⤵
  PID:1004
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}22{#} {0c}Открыть окно комманд{\n #}
  2⤵
  PID:836
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {4f}77{04} Скрыть все пункты {4f}за раз{08} [1-18] [с подтверждением]{\n #}{\n #}
  2⤵
  PID:1548
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}23{#} {09}Другое{\n #}
  2⤵
  PID:2088
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}24{#} {0b}Рабочий стол и значок компьютер{\n #}
  2⤵
  PID:2028
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}25{#} {0b}Меню Создать{\n #}
  2⤵
  PID:2780
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}26{#} {0b}Панель задач {08}[сейчас {08}стандартное контекстное меню]{\n #}
  2⤵
  PID:2000
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}27{#} {0b}Win + X{\n #}
  2⤵
  PID:1788
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}30{#} {3f}Проверить обновления{08} [{0e}текущая версия - {09}1.3.7{08}]{\n #}{\n #}
  2⤵
  PID:1676
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Folder\shell\pintohome"
  2⤵
  PID:2912
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Classes\Folder\shell\pintohome" /v "AppliesTo" /t reg_SZ /d "System.ParsingName:<>\"::{679f85cb-0220-4080-b29b-5540cc05aab6}\" AND System.ParsingName:<>\"::{645FF040-5081-101B-9F08-00AA002F954E}\" AND System.IsFolder:=System.StructuredQueryType.Boolean#True" /f
  2⤵
  - Modifies registry class
  PID:2268
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Classes\Folder\shell\pintohome" /v "MUIVerb" /t reg_SZ /d "@shell32.dll,-51377" /f
  2⤵
  - Modifies registry class
  PID:2784
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Classes\Folder\shell\pintohome\command" /v "DelegateExecute" /t reg_SZ /d "{b455f46e-e4af-4035-b0a4-cf18d2f6f28e}" /f
  2⤵
  - Modifies registry class
  PID:2476
- C:\Windows\system32\chcp.com
  chcp 866
  2⤵
  PID:2884
- C:\Windows\system32\reg.exe
  reg query "HKU\S-1-5-19"
  2⤵
  PID:2172
- C:\Windows\system32\mode.com
  Mode 81,37
  2⤵
  PID:2192
- C:\Users\Admin\AppData\Local\Temp\Work\nircmd.exe
  nircmd win center foreground
  2⤵
  PID:1920
- C:\Users\Admin\AppData\Local\Temp\Work\nircmd.exe
  nircmd win settext foreground "CMEditor"
  2⤵
  PID:1996
- C:\Windows\System32\Wbem\WMIC.exe
  wmic os get caption /Format:List
  2⤵
  PID:1864
- C:\Windows\system32\find.exe
  find /i "11"
  2⤵
  PID:2164
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\CLSID\{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"
  2⤵
  PID:2176
- C:\Windows\system32\reg.exe
  reg query "HKCR\Folder\ShellEx\ContextMenuHandlers\Library Location"
  2⤵
  PID:2380
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Folder\shell\pintohome"
  2⤵
  PID:2188
- C:\Windows\system32\reg.exe
  reg query "HKCR\exefile\shellex\ContextMenuHandlers\Compatibility"
  2⤵
  PID:264
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\exefile\shell\runasuser" /v "ProgrammaticAccessOnly"
  2⤵
  PID:664
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ModernSharing"
  2⤵
  PID:332
- C:\Windows\system32\reg.exe
  reg query "HKCR\AllFilesystemObjects\shellex\ContextMenuHandlers\SendTo"
  2⤵
  PID:724
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\CLSID\{470C0EBD-5D73-4d58-9CED-E91E22E23282}"
  2⤵
  PID:680
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\CLSID\{596AB062-B4D2-4215-9F74-E9109B0A8153}"
  2⤵
  PID:1396
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\CLSID\{7AD84985-87B4-4a16-BE58-8B72A5B390F7}"
  2⤵
  PID:1412
- C:\Windows\system32\reg.exe
  reg query "HKCR\*\shellex\ContextMenuHandlers\{90AA3A4E-1CBA-4233-B8BB-535773D48449}"
  2⤵
  PID:588
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Folder\shell\opennewprocess"
  2⤵
  PID:2824
- C:\Windows\system32\reg.exe
  reg query "HKCR\SystemFileAssociations\.bmp\ShellEx\ContextMenuHandlers\ShellImagePreview"
  2⤵
  PID:1392
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\txtfile\shell\print" /v "ProgrammaticAccessOnly"
  2⤵
  PID:568
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\DesktopBackground\Shell\Display"
  2⤵
  PID:804
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\DesktopBackground\Shell\Personalize" /v "ProgrammaticAccessOnly"
  2⤵
  PID:1808
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\exefile\shell\runas" /v "ProgrammaticAccessOnly"
  2⤵
  PID:832
- C:\Windows\system32\reg.exe
  reg query "HKCR\SystemFileAssociations\.jpeg\Shell\setdesktopwallpaper" /v "ProgrammaticAccessOnly"
  2⤵
  PID:800
- C:\Windows\system32\reg.exe
  reg query "HKCR\DesktopBackground\shellex\ContextMenuHandlers\DesktopSlideshow"
  2⤵
  PID:1716
- C:\Windows\system32\reg.exe
  reg query "HKCR\DesktopBackground\Shell\Display"
  2⤵
  PID:772
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Directory\shell\Powershell" /v "ProgrammaticAccessOnly"
  2⤵
  PID:1044
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Directory\background\shell\Powershell" /v "ProgrammaticAccessOnly"
  2⤵
  PID:1688
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Drive\shell\Powershell" /v "ProgrammaticAccessOnly"
  2⤵
  PID:852
- C:\Windows\system32\reg.exe
  reg query "HKCR\AllFilesystemObjects\shellex\ContextMenuHandlers\CopyAsPathMenu"
  2⤵
  PID:1940
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Directory\shell\cmd" /v "HideBasedOnVelocityId"
  2⤵
  PID:1944
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Directory\background\shell\cmd" /v "HideBasedOnVelocityId"
  2⤵
  PID:1756
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0a} Зеленым {08}цветом - пункт удален; {0c}красным{08} - показывается{\n #}{\n #}
  2⤵
  PID:1096
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {08} 0{#} {08}Windows 11{\n #}
  2⤵
  PID:2404
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 1{#} {0c}Предоставить доступ{\n #}
  2⤵
  PID:2168
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 2{#} {0a}Добавить в библиотеку{\n #}
  2⤵
  PID:2264
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 3{#} {0c}Закрепить на панели быстрого доступа{\n #}
  2⤵
  PID:3032
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 4{#} {0c}Исправление проблем с совместимостью{\n #}
  2⤵
  PID:1660
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 5{#} {0c}Запуск от имени другого пользователя{\n #}
  2⤵
  PID:1592
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 6{#} {0a}Отправить [поделиться]{\n #}
  2⤵
  PID:1668
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 7{#} {0c}Отправить [в программу]{#} {08}| {0e}70 - Дополнительные настройки{\n #}
  2⤵
  PID:928
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 8{#} {0a}Закрепить на начальном экране{\n #}
  2⤵
  PID:296
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 9{#} {0c}Восстановить прежнюю версию{\n #}
  2⤵
  PID:1932
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}10{#} {0c}Отправить на устройство{\n #}
  2⤵
  PID:1604
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}11{#} {0c}Закрепить на панели задач{\n #}
  2⤵
  PID:2400
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}12{#} {0c}Открыть в новом процессе{\n #}
  2⤵
  PID:1896
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}13{#} {0c}Повернуть право/влево{\n #}
  2⤵
  PID:2932
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}14{#} {0c}Печать{\n #}
  2⤵
  PID:1656
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}15{#} {0c}Параметры экрана{\n #}
  2⤵
  PID:2128
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}16{#} {0c}Персонализация {#}{08}| {0e}60 - Дополнительные настройки{\n #}
  2⤵
  PID:1984
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}17{#} {0c}Запуск от имени администратора {08}[bat/cmd/exe/lnk]{\n #}
  2⤵
  PID:1732
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}18{#} {0c}Следующее фоновое изображение рабочего стола{\n #}
  2⤵
  PID:2292
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}19{#} {0c}Сделать фоновым изображением рабочего стола{\n #}
  2⤵
  PID:352
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}20{#} {0c}Копировать как путь{\n #}
  2⤵
  PID:2116
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}21{#} {0c}Открыть окно PowerShell здесь{\n #}
  2⤵
  PID:3000
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}22{#} {0c}Открыть окно комманд{\n #}
  2⤵
  PID:3008
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {4f}77{04} Скрыть все пункты {4f}за раз{08} [1-18] [с подтверждением]{\n #}{\n #}
  2⤵
  PID:2384
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}23{#} {09}Другое{\n #}
  2⤵
  PID:2972
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}24{#} {0b}Рабочий стол и значок компьютер{\n #}
  2⤵
  PID:2980
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}25{#} {0b}Меню Создать{\n #}
  2⤵
  PID:2304
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}26{#} {0b}Панель задач {08}[сейчас {08}стандартное контекстное меню]{\n #}
  2⤵
  PID:2888
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}27{#} {0b}Win + X{\n #}
  2⤵
  PID:2992
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}30{#} {3f}Проверить обновления{08} [{0e}текущая версия - {09}1.3.7{08}]{\n #}{\n #}
  2⤵
  PID:2640
- C:\Windows\system32\reg.exe
  reg query "HKCR\Folder\ShellEx\ContextMenuHandlers\Library Location"
  2⤵
  PID:2564
- C:\Windows\system32\reg.exe
  reg add "HKCR\Folder\ShellEx\ContextMenuHandlers\Library Location" /ve /t reg_SZ /d "{3dad6c5d-2167-4cae-9914-f99e41c12cfa}" /f
  2⤵
  - Modifies registry class
  PID:2648
- C:\Windows\system32\chcp.com
  chcp 866
  2⤵
  PID:3040
- C:\Windows\system32\reg.exe
  reg query "HKU\S-1-5-19"
  2⤵
  PID:2560
- C:\Windows\system32\mode.com
  Mode 81,37
  2⤵
  PID:2748
- C:\Users\Admin\AppData\Local\Temp\Work\nircmd.exe
  nircmd win center foreground
  2⤵
  PID:2744
- C:\Users\Admin\AppData\Local\Temp\Work\nircmd.exe
  nircmd win settext foreground "CMEditor"
  2⤵
  PID:2568
- C:\Windows\System32\Wbem\WMIC.exe
  wmic os get caption /Format:List
  2⤵
  PID:2616
- C:\Windows\system32\find.exe
  find /i "11"
  2⤵
  PID:2988
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\CLSID\{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"
  2⤵
  PID:2464
- C:\Windows\system32\reg.exe
  reg query "HKCR\Folder\ShellEx\ContextMenuHandlers\Library Location"
  2⤵
  PID:2772
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Folder\shell\pintohome"
  2⤵
  PID:2788
- C:\Windows\system32\reg.exe
  reg query "HKCR\exefile\shellex\ContextMenuHandlers\Compatibility"
  2⤵
  PID:1636
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\exefile\shell\runasuser" /v "ProgrammaticAccessOnly"
  2⤵
  PID:2600
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ModernSharing"
  2⤵
  PID:2548
- C:\Windows\system32\reg.exe
  reg query "HKCR\AllFilesystemObjects\shellex\ContextMenuHandlers\SendTo"
  2⤵
  PID:2072
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\CLSID\{470C0EBD-5D73-4d58-9CED-E91E22E23282}"
  2⤵
  PID:2672
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\CLSID\{596AB062-B4D2-4215-9F74-E9109B0A8153}"
  2⤵
  PID:2436
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\CLSID\{7AD84985-87B4-4a16-BE58-8B72A5B390F7}"
  2⤵
  PID:2432
- C:\Windows\system32\reg.exe
  reg query "HKCR\*\shellex\ContextMenuHandlers\{90AA3A4E-1CBA-4233-B8BB-535773D48449}"
  2⤵
  PID:2452
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Folder\shell\opennewprocess"
  2⤵
  PID:2456
- C:\Windows\system32\reg.exe
  reg query "HKCR\SystemFileAssociations\.bmp\ShellEx\ContextMenuHandlers\ShellImagePreview"
  2⤵
  PID:2488
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\txtfile\shell\print" /v "ProgrammaticAccessOnly"
  2⤵
  PID:2508
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\DesktopBackground\Shell\Display"
  2⤵
  PID:2556
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\DesktopBackground\Shell\Personalize" /v "ProgrammaticAccessOnly"
  2⤵
  PID:2368
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\exefile\shell\runas" /v "ProgrammaticAccessOnly"
  2⤵
  PID:2904
- C:\Windows\system32\reg.exe
  reg query "HKCR\SystemFileAssociations\.jpeg\Shell\setdesktopwallpaper" /v "ProgrammaticAccessOnly"
  2⤵
  PID:2480
- C:\Windows\system32\reg.exe
  reg query "HKCR\DesktopBackground\shellex\ContextMenuHandlers\DesktopSlideshow"
  2⤵
  PID:2916
- C:\Windows\system32\reg.exe
  reg query "HKCR\DesktopBackground\Shell\Display"
  2⤵
  PID:3052
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Directory\shell\Powershell" /v "ProgrammaticAccessOnly"
  2⤵
  PID:2920
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Directory\background\shell\Powershell" /v "ProgrammaticAccessOnly"
  2⤵
  PID:2068
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Drive\shell\Powershell" /v "ProgrammaticAccessOnly"
  2⤵
  PID:1468
- C:\Windows\system32\reg.exe
  reg query "HKCR\AllFilesystemObjects\shellex\ContextMenuHandlers\CopyAsPathMenu"
  2⤵
  PID:1596
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Directory\shell\cmd" /v "HideBasedOnVelocityId"
  2⤵
  PID:1224
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Directory\background\shell\cmd" /v "HideBasedOnVelocityId"
  2⤵
  PID:1220
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0a} Зеленым {08}цветом - пункт удален; {0c}красным{08} - показывается{\n #}{\n #}
  2⤵
  PID:1216
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {08} 0{#} {08}Windows 11{\n #}
  2⤵
  PID:1364
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 1{#} {0c}Предоставить доступ{\n #}
  2⤵
  PID:1128
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 2{#} {0c}Добавить в библиотеку{\n #}
  2⤵
  PID:2496
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 3{#} {0c}Закрепить на панели быстрого доступа{\n #}
  2⤵
  PID:2704
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 4{#} {0c}Исправление проблем с совместимостью{\n #}
  2⤵
  PID:2240
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 5{#} {0c}Запуск от имени другого пользователя{\n #}
  2⤵
  PID:2692
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 6{#} {0a}Отправить [поделиться]{\n #}
  2⤵
  PID:376
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 7{#} {0c}Отправить [в программу]{#} {08}| {0e}70 - Дополнительные настройки{\n #}
  2⤵
  PID:292
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 8{#} {0a}Закрепить на начальном экране{\n #}
  2⤵
  PID:1504
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 9{#} {0c}Восстановить прежнюю версию{\n #}
  2⤵
  PID:1028
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}10{#} {0c}Отправить на устройство{\n #}
  2⤵
  PID:1692
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}11{#} {0c}Закрепить на панели задач{\n #}
  2⤵
  PID:1608
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}12{#} {0c}Открыть в новом процессе{\n #}
  2⤵
  PID:1164
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}13{#} {0c}Повернуть право/влево{\n #}
  2⤵
  PID:2340
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}14{#} {0c}Печать{\n #}
  2⤵
  PID:2112
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}15{#} {0c}Параметры экрана{\n #}
  2⤵
  PID:1664
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}16{#} {0c}Персонализация {#}{08}| {0e}60 - Дополнительные настройки{\n #}
  2⤵
  PID:2064
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}17{#} {0c}Запуск от имени администратора {08}[bat/cmd/exe/lnk]{\n #}
  2⤵
  PID:2100
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}18{#} {0c}Следующее фоновое изображение рабочего стола{\n #}
  2⤵
  PID:2024
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}19{#} {0c}Сделать фоновым изображением рабочего стола{\n #}
  2⤵
  PID:2032
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}20{#} {0c}Копировать как путь{\n #}
  2⤵
  PID:2052
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}21{#} {0c}Открыть окно PowerShell здесь{\n #}
  2⤵
  PID:2352
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}22{#} {0c}Открыть окно комманд{\n #}
  2⤵
  PID:2056
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {4f}77{04} Скрыть все пункты {4f}за раз{08} [1-18] [с подтверждением]{\n #}{\n #}
  2⤵
  PID:2872
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}23{#} {09}Другое{\n #}
  2⤵
  PID:2892
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}24{#} {0b}Рабочий стол и значок компьютер{\n #}
  2⤵
  PID:2532
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}25{#} {0b}Меню Создать{\n #}
  2⤵
  PID:1572
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}26{#} {0b}Панель задач {08}[сейчас {08}стандартное контекстное меню]{\n #}
  2⤵
  PID:1928
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}27{#} {0b}Win + X{\n #}
  2⤵
  PID:2696
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}30{#} {3f}Проверить обновления{08} [{0e}текущая версия - {09}1.3.7{08}]{\n #}{\n #}
  2⤵
  PID:2216
- C:\Windows\system32\reg.exe
  reg query "HKCR\Folder\ShellEx\ContextMenuHandlers\Library Location"
  2⤵
  PID:2176
- C:\Windows\system32\reg.exe
  reg delete "HKCR\Folder\ShellEx\ContextMenuHandlers\Library Location" /f
  2⤵
  - Modifies registry class
  PID:2380
- C:\Windows\system32\chcp.com
  chcp 866
  2⤵
  PID:2188
- C:\Windows\system32\reg.exe
  reg query "HKU\S-1-5-19"
  2⤵
  PID:264
- C:\Windows\system32\mode.com
  Mode 81,37
  2⤵
  PID:664
- C:\Users\Admin\AppData\Local\Temp\Work\nircmd.exe
  nircmd win center foreground
  2⤵
  PID:332
- C:\Users\Admin\AppData\Local\Temp\Work\nircmd.exe
  nircmd win settext foreground "CMEditor"
  2⤵
  PID:724
- C:\Windows\System32\Wbem\WMIC.exe
  wmic os get caption /Format:List
  2⤵
  PID:680
- C:\Windows\system32\find.exe
  find /i "11"
  2⤵
  PID:1396
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\CLSID\{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"
  2⤵
  PID:1392
- C:\Windows\system32\reg.exe
  reg query "HKCR\Folder\ShellEx\ContextMenuHandlers\Library Location"
  2⤵
  PID:568
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Folder\shell\pintohome"
  2⤵
  PID:804
- C:\Windows\system32\reg.exe
  reg query "HKCR\exefile\shellex\ContextMenuHandlers\Compatibility"
  2⤵
  PID:1808
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\exefile\shell\runasuser" /v "ProgrammaticAccessOnly"
  2⤵
  PID:832
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ModernSharing"
  2⤵
  PID:800
- C:\Windows\system32\reg.exe
  reg query "HKCR\AllFilesystemObjects\shellex\ContextMenuHandlers\SendTo"
  2⤵
  PID:1716
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\CLSID\{470C0EBD-5D73-4d58-9CED-E91E22E23282}"
  2⤵
  PID:772
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\CLSID\{596AB062-B4D2-4215-9F74-E9109B0A8153}"
  2⤵
  PID:1044
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\CLSID\{7AD84985-87B4-4a16-BE58-8B72A5B390F7}"
  2⤵
  PID:1688
- C:\Windows\system32\reg.exe
  reg query "HKCR\*\shellex\ContextMenuHandlers\{90AA3A4E-1CBA-4233-B8BB-535773D48449}"
  2⤵
  PID:852
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Folder\shell\opennewprocess"
  2⤵
  PID:1940
- C:\Windows\system32\reg.exe
  reg query "HKCR\SystemFileAssociations\.bmp\ShellEx\ContextMenuHandlers\ShellImagePreview"
  2⤵
  PID:1944
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\txtfile\shell\print" /v "ProgrammaticAccessOnly"
  2⤵
  PID:1756
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\DesktopBackground\Shell\Display"
  2⤵
  PID:1096
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\DesktopBackground\Shell\Personalize" /v "ProgrammaticAccessOnly"
  2⤵
  PID:2408
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\exefile\shell\runas" /v "ProgrammaticAccessOnly"
  2⤵
  PID:844
- C:\Windows\system32\reg.exe
  reg query "HKCR\SystemFileAssociations\.jpeg\Shell\setdesktopwallpaper" /v "ProgrammaticAccessOnly"
  2⤵
  PID:2404
- C:\Windows\system32\reg.exe
  reg query "HKCR\DesktopBackground\shellex\ContextMenuHandlers\DesktopSlideshow"
  2⤵
  PID:988
- C:\Windows\system32\reg.exe
  reg query "HKCR\DesktopBackground\Shell\Display"
  2⤵
  PID:2168
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Directory\shell\Powershell" /v "ProgrammaticAccessOnly"
  2⤵
  PID:3044
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Directory\background\shell\Powershell" /v "ProgrammaticAccessOnly"
  2⤵
  PID:2264
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Drive\shell\Powershell" /v "ProgrammaticAccessOnly"
  2⤵
  PID:2076
- C:\Windows\system32\reg.exe
  reg query "HKCR\AllFilesystemObjects\shellex\ContextMenuHandlers\CopyAsPathMenu"
  2⤵
  PID:3056
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Directory\shell\cmd" /v "HideBasedOnVelocityId"
  2⤵
  PID:2156
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Directory\background\shell\cmd" /v "HideBasedOnVelocityId"
  2⤵
  PID:1696
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0a} Зеленым {08}цветом - пункт удален; {0c}красным{08} - показывается{\n #}{\n #}
  2⤵
  PID:1460
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {08} 0{#} {08}Windows 11{\n #}
  2⤵
  PID:1592
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 1{#} {0c}Предоставить доступ{\n #}
  2⤵
  PID:1668
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 2{#} {0a}Добавить в библиотеку{\n #}
  2⤵
  PID:928
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 3{#} {0c}Закрепить на панели быстрого доступа{\n #}
  2⤵
  PID:1620
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 4{#} {0c}Исправление проблем с совместимостью{\n #}
  2⤵
  PID:1932
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 5{#} {0c}Запуск от имени другого пользователя{\n #}
  2⤵
  PID:1600
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 6{#} {0a}Отправить [поделиться]{\n #}
  2⤵
  PID:2060
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 7{#} {0c}Отправить [в программу]{#} {08}| {0e}70 - Дополнительные настройки{\n #}
  2⤵
  PID:1896
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 8{#} {0a}Закрепить на начальном экране{\n #}
  2⤵
  PID:1640
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 9{#} {0c}Восстановить прежнюю версию{\n #}
  2⤵
  PID:3060
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}10{#} {0c}Отправить на устройство{\n #}
  2⤵
  PID:2300
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}11{#} {0c}Закрепить на панели задач{\n #}
  2⤵
  PID:1988
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}12{#} {0c}Открыть в новом процессе{\n #}
  2⤵
  PID:1784
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}13{#} {0c}Повернуть право/влево{\n #}
  2⤵
  PID:2940
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}14{#} {0c}Печать{\n #}
  2⤵
  PID:1464
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}15{#} {0c}Параметры экрана{\n #}
  2⤵
  PID:1428
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}16{#} {0c}Персонализация {#}{08}| {0e}60 - Дополнительные настройки{\n #}
  2⤵
  PID:1496
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}17{#} {0c}Запуск от имени администратора {08}[bat/cmd/exe/lnk]{\n #}
  2⤵
  PID:1780
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}18{#} {0c}Следующее фоновое изображение рабочего стола{\n #}
  2⤵
  PID:2144
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}19{#} {0c}Сделать фоновым изображением рабочего стола{\n #}
  2⤵
  PID:2980
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}20{#} {0c}Копировать как путь{\n #}
  2⤵
  PID:1528
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}21{#} {0c}Открыть окно PowerShell здесь{\n #}
  2⤵
  PID:2760
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}22{#} {0c}Открыть окно комманд{\n #}
  2⤵
  PID:1520
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {4f}77{04} Скрыть все пункты {4f}за раз{08} [1-18] [с подтверждением]{\n #}{\n #}
  2⤵
  PID:2640
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}23{#} {09}Другое{\n #}
  2⤵
  PID:2564
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}24{#} {0b}Рабочий стол и значок компьютер{\n #}
  2⤵
  PID:3040
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}25{#} {0b}Меню Создать{\n #}
  2⤵
  PID:2728
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}26{#} {0b}Панель задач {08}[сейчас {08}стандартное контекстное меню]{\n #}
  2⤵
  PID:2280
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}27{#} {0b}Win + X{\n #}
  2⤵
  PID:2596
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}30{#} {3f}Проверить обновления{08} [{0e}текущая версия - {09}1.3.7{08}]{\n #}{\n #}
  2⤵
  PID:2616
- C:\Windows\system32\reg.exe
  reg query "HKCR\regfile\shell\regconvert"
  2⤵
  PID:2944
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\txtfile\shell\edit"
  2⤵
  PID:2572
- C:\Windows\system32\reg.exe
  reg query "HKCR\SystemFileAssociations\.Appx\shell\Install"
  2⤵
  PID:2484
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoCustomizeThisFolder"
  2⤵
  PID:2732
- C:\Windows\system32\reg.exe
  reg query "HKCR\*\shell\Уничтожить"
  2⤵
  PID:2492
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\StartIsBack"
  2⤵
  PID:2608
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\WinRAR archiver"
  2⤵
  PID:2440
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 1{#} - {04}Notepad++ {08}[Пункт изменить для txt/inf/ini/ps1 и др. форматов в Notepad ++]{\n #}
  2⤵
  PID:2448
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 2{#} - {04}RegToBat {08}[Быстрое конвертирование .reg в .bat файлы]{\n #}
  2⤵
  PID:2468
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 3{#} - {04}Установить UWP {08}[Для .appx/appxbundle/msix/msixbundle]{\n #}
  2⤵
  PID:2512
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 4{#} - {8f}Закрепить в меню пуск{08} [Пункт от программы {0e}StartIsBack]{\n #}
  2⤵
  PID:2896
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 5{#} - {04}Настроить папку{08} [Правый клик в проводнике в папках]{\n #}
  2⤵
  PID:2740
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 6{#} - {8f}Минималистичное меню WinRar {08}[Останется только добавить/извлечь]{\n #}
  2⤵
  PID:1720
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 7{#} - {8f}Пункт Уничтожить{0e} [Удалить/Сделать по Shift] {08}[От программы Unlocker]{\n #}
  2⤵
  PID:1760
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0e} [Enter]{#} - {08}Вернуться в главное меню{\n #}
  2⤵
  PID:1312
- C:\Windows\system32\reg.exe
  reg query "HKCR\regfile\shell\regconvert"
  2⤵
  PID:848
- C:\Windows\system32\reg.exe
  reg add "HKCR\regfile\shell\regconvert" /v "Icon" /t REG_SZ /d "regedit.exe" /f
  2⤵
  - Modifies registry class
  PID:1188
- C:\Windows\system32\reg.exe
  reg add "HKCR\regfile\shell\regconvert" /v "Position" /t REG_SZ /d "Middle" /f
  2⤵
  - Modifies registry class
  PID:1216
- C:\Windows\system32\reg.exe
  reg add "HKCR\regfile\shell\regconvert" /v "SubCommands" /t REG_SZ /d "" /f
  2⤵
  - Modifies registry class
  PID:2412
- C:\Windows\system32\reg.exe
  reg add "HKCR\regfile\shell\regconvert" /v "MUIVerb" /t REG_SZ /d "Convert to .bat" /f
  2⤵
  - Modifies registry class
  PID:1364
- C:\Windows\system32\reg.exe
  reg add "HKCR\regfile\shell\regconvert\shell\001" /v "MUIVerb" /t REG_SZ /d "RegFile => BatFile" /f
  2⤵
  - Modifies registry class
  PID:1116
- C:\Windows\system32\reg.exe
  reg add "HKCR\regfile\shell\regconvert\shell\001" /v "Icon" /t REG_SZ /d "%SystemRoot%\System32\imageres.dll,63" /f
  2⤵
  - Modifies registry class
  PID:2680
- C:\Windows\system32\reg.exe
  reg add "HKCR\regfile\shell\regconvert\shell\001\command" /v "" /t REG_EXPAND_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Work\RegToScript.exe\" /bat \"%1\" %1.bat" /f
  2⤵
  - Modifies registry class
  PID:2724
- C:\Windows\system32\reg.exe
  reg add "HKCR\regfile\shell\regconvert\shell\002" /v "Icon" /t REG_SZ /d "%SystemRoot%\System32\imageres.dll,241" /f
  2⤵
  - Modifies registry class
  PID:2424
- C:\Windows\system32\reg.exe
  reg add "HKCR\regfile\shell\regconvert\shell\002" /v "MUIVerb" /t REG_SZ /d "RegFile => В буфер" /f
  2⤵
  - Modifies registry class
  PID:2684
- C:\Windows\system32\reg.exe
  reg add "HKCR\regfile\shell\regconvert\shell\002\command" /v "" /t REG_EXPAND_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Work\RegToScript.exe\" /bat /rh \"%1\" /clbrd" /f
  2⤵
  - Modifies registry class
  PID:2676
- C:\Windows\system32\reg.exe
  reg query "HKCR\regfile\shell\regconvert"
  2⤵
  PID:2336
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\txtfile\shell\edit"
  2⤵
  PID:1484
- C:\Windows\system32\reg.exe
  reg query "HKCR\SystemFileAssociations\.Appx\shell\Install"
  2⤵
  PID:992
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoCustomizeThisFolder"
  2⤵
  PID:2692
- C:\Windows\system32\reg.exe
  reg query "HKCR\*\shell\Уничтожить"
  2⤵
  PID:2104
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\StartIsBack"
  2⤵
  PID:2700
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\WinRAR archiver"
  2⤵
  PID:1500
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 1{#} - {04}Notepad++ {08}[Пункт изменить для txt/inf/ini/ps1 и др. форматов в Notepad ++]{\n #}
  2⤵
  PID:752
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 2{#} - {0a}RegToBat {08}[Быстрое конвертирование .reg в .bat файлы]{\n #}
  2⤵
  PID:788
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 3{#} - {04}Установить UWP {08}[Для .appx/appxbundle/msix/msixbundle]{\n #}
  2⤵
  PID:1016
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 4{#} - {8f}Закрепить в меню пуск{08} [Пункт от программы {0e}StartIsBack]{\n #}
  2⤵
  PID:2236
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 5{#} - {04}Настроить папку{08} [Правый клик в проводнике в папках]{\n #}
  2⤵
  PID:1436
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 6{#} - {8f}Минималистичное меню WinRar {08}[Останется только добавить/извлечь]{\n #}
  2⤵
  PID:1164
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 7{#} - {8f}Пункт Уничтожить{0e} [Удалить/Сделать по Shift] {08}[От программы Unlocker]{\n #}
  2⤵
  PID:1768
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0e} [Enter]{#} - {08}Вернуться в главное меню{\n #}
  2⤵
  PID:2096

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/296-174-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/296-172-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/304-59-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/304-60-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/352-196-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/376-18-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/604-71-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/620-124-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/620-126-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/736-63-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/736-64-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/752-22-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/788-116-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/796-121-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/796-26-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/796-123-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/836-132-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/840-20-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/840-21-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/848-95-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/868-47-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/888-77-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/928-170-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/928-171-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/948-55-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/992-109-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/992-107-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/992-15-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/992-16-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1004-130-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1096-151-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1096-149-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1108-44-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1108-45-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1128-98-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1128-100-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1128-9-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1132-97-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1188-8-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1216-219-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1224-6-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1232-36-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1236-7-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1244-118-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1256-53-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1364-221-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1428-78-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1432-70-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1452-24-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1452-23-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1536-56-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1540-19-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1548-134-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1552-74-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1556-29-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1592-164-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1592-166-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1596-93-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1596-4-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1596-5-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1600-61-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1600-62-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1604-178-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1628-75-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1628-76-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1648-27-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1656-186-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1660-161-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1660-163-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1668-168-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1676-148-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1676-146-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1692-120-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1696-52-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1720-89-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1732-192-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1736-25-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1760-3-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1760-91-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1788-145-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1888-57-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1896-182-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1896-65-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1932-176-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1968-67-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1984-190-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1984-217-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2000-143-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2028-139-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2088-137-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2088-135-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2112-32-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2112-33-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2116-198-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2124-114-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2128-69-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2128-188-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2156-51-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2168-155-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2168-46-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2244-37-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2264-157-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2276-58-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2292-194-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2292-73-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2304-210-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2328-54-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2340-31-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2340-30-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2344-28-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2348-38-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2384-204-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2388-128-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2400-180-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2404-153-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2412-10-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2424-102-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2468-81-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2468-80-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2496-11-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2512-83-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2512-82-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2536-13-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2536-106-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2536-14-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2640-216-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2692-17-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2700-110-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2700-112-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2704-12-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2704-104-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2740-87-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2764-34-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2764-35-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2780-39-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2780-40-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2780-141-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2848-72-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2852-66-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2856-41-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2856-43-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2888-212-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2896-85-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2900-1-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2900-0-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2932-184-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2956-68-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2972-206-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2980-208-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2992-214-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3000-200-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3008-202-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3008-79-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3032-158-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3032-160-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3044-48-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3052-2-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3056-49-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download