fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2024, 06:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
Size

1006KB
MD5

2bfca009593c6b4be53979cf8d69023d
SHA1

0c019852533ee4d6f36dccdd6c0fca8070de2944
SHA256

fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
SHA512

e361860ab966bfec775d2d6ac4482dfd39516ef39d3c8069ec79a8d60a83a74a0103af8515408a1f2ff16145dd157a28e89adff469d9e3e800d602ec3367b8c4
SSDEEP

24576:/LZgDe961iKogI4B92x5CRnSjOVOPU3SrJrQBC/1cokZzY:/LZgD91i2tcgnSjO5wdQZ0

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\raskQgos\\WSsEAYow.exe,"	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\raskQgos\\WSsEAYow.exe,"	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\raskQgos\\WSsEAYow.exe,C:\\ProgramData\\MiYgwgwg\\xsYYEMwg.exe,"	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\ProgramData\\raskQgos\\WSsEAYow.exe,C:\\ProgramData\\MiYgwgwg\\xsYYEMwg.exe,"	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	NUgkowgc.exe

Executes dropped EXE 3 IoCs

pid	Process
2304	NUgkowgc.exe
4828	WSsEAYow.exe
2332	oYIoAMEI.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xGUkEkAQ.exe = "C:\\Users\\Admin\\hIosskYE\\xGUkEkAQ.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xsYYEMwg.exe = "C:\\ProgramData\\MiYgwgwg\\xsYYEMwg.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NUgkowgc.exe = "C:\\Users\\Admin\\IkQMocwY\\NUgkowgc.exe"	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WSsEAYow.exe = "C:\\ProgramData\\raskQgos\\WSsEAYow.exe"	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xGUkEkAQ.exe = "C:\\Users\\Admin\\hIosskYE\\xGUkEkAQ.exe"	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xsYYEMwg.exe = "C:\\ProgramData\\MiYgwgwg\\xsYYEMwg.exe"	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WSsEAYow.exe = "C:\\ProgramData\\raskQgos\\WSsEAYow.exe"	oYIoAMEI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NUgkowgc.exe = "C:\\Users\\Admin\\IkQMocwY\\NUgkowgc.exe"	NUgkowgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WSsEAYow.exe = "C:\\ProgramData\\raskQgos\\WSsEAYow.exe"	WSsEAYow.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\IkQMocwY	oYIoAMEI.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\IkQMocwY\NUgkowgc	oYIoAMEI.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 64 IoCs

pid	pid_target	Process	procid_target
3224	2676	WerFault.exe	83
4340	3804	WerFault.exe	92
5080	3508	WerFault.exe	108
1824	2204	WerFault.exe	120
1300	4780	WerFault.exe	127
220	4856	WerFault.exe	138
3860	3224	WerFault.exe	149
2400	3584	WerFault.exe	160
1132	3592	WerFault.exe	173
2036	3956	WerFault.exe	184
2192	2520	WerFault.exe	196
2372	3456	WerFault.exe	208
3980	4720	WerFault.exe	219
3928	4644	WerFault.exe	230
3976	3904	WerFault.exe	241
1772	4804	WerFault.exe	252
4968	2844	WerFault.exe	263
1736	4720	WerFault.exe	275
4852	4296	WerFault.exe	286
1892	3944	WerFault.exe	297
2520	2904	WerFault.exe	308
2788	4840	WerFault.exe	321
1388	3980	WerFault.exe	332
1684	4320	WerFault.exe	343
720	3944	WerFault.exe	354
3996	3176	WerFault.exe	365
5004	1860	WerFault.exe	376
4832	1376	WerFault.exe	387
556	3856	WerFault.exe	398
2124	4420	WerFault.exe	409
5044	4340	WerFault.exe	420
392	1844	WerFault.exe	431
2644	3956	WerFault.exe	442
448	3764	WerFault.exe	453
5080	2996	WerFault.exe	464
556	4316	WerFault.exe	475
1692	4188	WerFault.exe	486
2312	2904	WerFault.exe	497
4500	4132	WerFault.exe	508
1796	4860	WerFault.exe	519
4736	1480	WerFault.exe	530
1884	2124	WerFault.exe	541
3908	4572	WerFault.exe	552
1376	1568	WerFault.exe	563
2960	1492	WerFault.exe	574
3704	2592	WerFault.exe	585
4188	3144	WerFault.exe	597
2720	4744	WerFault.exe	608
1880	3168	WerFault.exe	619
1644	5072	WerFault.exe	631
4268	2192	WerFault.exe	642
1092	1884	WerFault.exe	653
3600	4964	WerFault.exe	665
4696	4312	WerFault.exe	676
4476	2604	WerFault.exe	687
3428	720	WerFault.exe	698
3524	4080	WerFault.exe	709
2844	1824	WerFault.exe	720
1004	4872	WerFault.exe	731
4964	2284	WerFault.exe	742
4268	3976	WerFault.exe	753
4896	4780	WerFault.exe	764
4824	3424	WerFault.exe	775
3668	640	WerFault.exe	786

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xGUkEkAQ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
1960	Process not Found
3668	reg.exe
3932	reg.exe
1960	reg.exe
4644	reg.exe
5056	reg.exe
4196	reg.exe
2380	reg.exe
3668	reg.exe
3080	reg.exe
3416	Process not Found
1824	reg.exe
2400	reg.exe
4784	reg.exe
1064	reg.exe
3612	Process not Found
1248	reg.exe
4472	reg.exe
4744	reg.exe
5084	reg.exe
5084	reg.exe
1796	Process not Found
2892	reg.exe
4696	reg.exe
1728	Process not Found
4564	reg.exe
1864	reg.exe
968	reg.exe
3128	reg.exe
4964	reg.exe
1144	reg.exe
1412	reg.exe
2288	reg.exe
556	reg.exe
1860	reg.exe
3484	reg.exe
3932	reg.exe
3684	reg.exe
1480	reg.exe
4792	reg.exe
776	reg.exe
2720	reg.exe
5008	reg.exe
4764	reg.exe
4268	reg.exe
2920	reg.exe
4268	reg.exe
3612	reg.exe
3428	reg.exe
324	reg.exe
2868	reg.exe
3620	reg.exe
2436	Process not Found
2904	Process not Found
2888	reg.exe
2676	reg.exe
2644	reg.exe
3764	reg.exe
3116	reg.exe
3780	reg.exe
2788	reg.exe
3520	reg.exe
1860	reg.exe
100	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2676	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
2676	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
2676	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
2676	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
3804	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
3804	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
3804	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
3804	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
3508	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
3508	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
3508	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
3508	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
2204	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
2204	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
2204	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
2204	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
4780	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
4780	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
4780	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
4780	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
4856	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
4856	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
4856	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
4856	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
3224	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
3224	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
3224	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
3224	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
3584	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
3584	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
3584	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
3584	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
3592	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
3592	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
3592	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
3592	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
3956	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
3956	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
3956	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
3956	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
2520	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
2520	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
2520	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
2520	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
3456	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
3456	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
3456	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
3456	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
4720	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
4720	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
4720	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
4720	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
4644	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
4644	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
4644	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
4644	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
3904	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
3904	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
3904	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
3904	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
4804	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
4804	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
4804	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
4804	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 2304	2676	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	87
PID 2676 wrote to memory of 2304	2676	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	87
PID 2676 wrote to memory of 2304	2676	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	87
PID 2676 wrote to memory of 4828	2676	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	88
PID 2676 wrote to memory of 4828	2676	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	88
PID 2676 wrote to memory of 4828	2676	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	88
PID 2676 wrote to memory of 3196	2676	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	90
PID 2676 wrote to memory of 3196	2676	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	90
PID 2676 wrote to memory of 3196	2676	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	90
PID 3196 wrote to memory of 3804	3196	cmd.exe	92
PID 3196 wrote to memory of 3804	3196	cmd.exe	92
PID 3196 wrote to memory of 3804	3196	cmd.exe	92
PID 2676 wrote to memory of 4296	2676	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	93
PID 2676 wrote to memory of 4296	2676	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	93
PID 2676 wrote to memory of 4296	2676	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	93
PID 2676 wrote to memory of 3192	2676	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	94
PID 2676 wrote to memory of 3192	2676	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	94
PID 2676 wrote to memory of 3192	2676	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	94
PID 2676 wrote to memory of 4244	2676	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	95
PID 2676 wrote to memory of 4244	2676	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	95
PID 2676 wrote to memory of 4244	2676	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	95
PID 3804 wrote to memory of 2644	3804	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	103
PID 3804 wrote to memory of 2644	3804	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	103
PID 3804 wrote to memory of 2644	3804	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	103
PID 3804 wrote to memory of 1860	3804	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	105
PID 3804 wrote to memory of 1860	3804	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	105
PID 3804 wrote to memory of 1860	3804	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	105
PID 3804 wrote to memory of 3712	3804	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	106
PID 3804 wrote to memory of 3712	3804	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	106
PID 3804 wrote to memory of 3712	3804	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	106
PID 3804 wrote to memory of 2844	3804	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	107
PID 3804 wrote to memory of 2844	3804	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	107
PID 3804 wrote to memory of 2844	3804	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	107
PID 2644 wrote to memory of 3508	2644	cmd.exe	108
PID 2644 wrote to memory of 3508	2644	cmd.exe	108
PID 2644 wrote to memory of 3508	2644	cmd.exe	108
PID 3508 wrote to memory of 1736	3508	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	114
PID 3508 wrote to memory of 1736	3508	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	114
PID 3508 wrote to memory of 1736	3508	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	114
PID 3508 wrote to memory of 744	3508	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	116
PID 3508 wrote to memory of 744	3508	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	116
PID 3508 wrote to memory of 744	3508	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	116
PID 3508 wrote to memory of 3980	3508	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	117
PID 3508 wrote to memory of 3980	3508	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	117
PID 3508 wrote to memory of 3980	3508	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	117
PID 3508 wrote to memory of 516	3508	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	118
PID 3508 wrote to memory of 516	3508	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	118
PID 3508 wrote to memory of 516	3508	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	118
PID 1736 wrote to memory of 2204	1736	cmd.exe	120
PID 1736 wrote to memory of 2204	1736	cmd.exe	120
PID 1736 wrote to memory of 2204	1736	cmd.exe	120
PID 2204 wrote to memory of 4140	2204	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	125
PID 2204 wrote to memory of 4140	2204	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	125
PID 2204 wrote to memory of 4140	2204	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	125
PID 4140 wrote to memory of 4780	4140	cmd.exe	127
PID 4140 wrote to memory of 4780	4140	cmd.exe	127
PID 4140 wrote to memory of 4780	4140	cmd.exe	127
PID 2204 wrote to memory of 3112	2204	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	128
PID 2204 wrote to memory of 3112	2204	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	128
PID 2204 wrote to memory of 3112	2204	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	128
PID 2204 wrote to memory of 3156	2204	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	129
PID 2204 wrote to memory of 3156	2204	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	129
PID 2204 wrote to memory of 3156	2204	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	129
PID 2204 wrote to memory of 4784	2204	fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe	130

C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
"C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Users\Admin\IkQMocwY\NUgkowgc.exe
  "C:\Users\Admin\IkQMocwY\NUgkowgc.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2304
- C:\ProgramData\raskQgos\WSsEAYow.exe
  "C:\ProgramData\raskQgos\WSsEAYow.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4828
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3196
- - C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
    C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3804
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2644
    - - C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3508
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        10⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        12⤵
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        14⤵
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        16⤵
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        18⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        20⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        22⤵
        
        PID:3436
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        24⤵
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        27⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        28⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        30⤵
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        32⤵
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        33⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        34⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        35⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        36⤵
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        37⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        38⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:3944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        40⤵
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        41⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        42⤵
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        43⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        44⤵
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        45⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        46⤵
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        47⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        49⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        50⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        51⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        52⤵
        
        PID:4132
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        53⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        54⤵
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        55⤵
        System Location Discovery: System Language Discovery
        
        PID:1376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        56⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        57⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        58⤵
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        59⤵
        System Location Discovery: System Language Discovery
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        60⤵
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        61⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        62⤵
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        63⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        64⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        65⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        66⤵
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        67⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        68⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        69⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        70⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        71⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        72⤵
        
        PID:3304
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        73⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        75⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        76⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        77⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        78⤵
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        79⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        80⤵
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        81⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        82⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        83⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        84⤵
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        85⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        86⤵
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        87⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        88⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        90⤵
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        91⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        92⤵
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        93⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        94⤵
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        95⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        96⤵
        
        PID:4196
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        97⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        98⤵
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        99⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        101⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        102⤵
        
        PID:4188
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        103⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        104⤵
        
        PID:3344
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        105⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        106⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        107⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        108⤵
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        109⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        110⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        111⤵
        
        PID:720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        112⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        113⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        114⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        115⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        116⤵
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        117⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        118⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        119⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        120⤵
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        121⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        122⤵
        
        PID:3856
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        123⤵
        System Location Discovery: System Language Discovery
        
        PID:4780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        124⤵
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        125⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        126⤵
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        127⤵
        System Location Discovery: System Language Discovery
        
        PID:640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        128⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        129⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        130⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        131⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        132⤵
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        133⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        134⤵
        
        PID:3832
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        135⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        136⤵
        
        PID:3304
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        137⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        138⤵
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        139⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        140⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        141⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        142⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        143⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        144⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        145⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        146⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        147⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        148⤵
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        149⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        150⤵
        System Location Discovery: System Language Discovery
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        151⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        152⤵
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        153⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        154⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        155⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        156⤵
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        157⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        158⤵
        System Location Discovery: System Language Discovery
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        159⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        160⤵
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        161⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        162⤵
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        163⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        164⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        165⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        166⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        167⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        168⤵
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        169⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        170⤵
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        171⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        172⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        173⤵
        
        PID:516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        174⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        175⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        
        PID:3204
        
        C:\Users\Admin\hIosskYE\xGUkEkAQ.exe
        
        "C:\Users\Admin\hIosskYE\xGUkEkAQ.exe"
        176⤵
        System Location Discovery: System Language Discovery
        
        PID:1768
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 284
        177⤵
        
        PID:4748
        
        C:\ProgramData\MiYgwgwg\xsYYEMwg.exe
        
        "C:\ProgramData\MiYgwgwg\xsYYEMwg.exe"
        176⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 276
        177⤵
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        176⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        177⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        178⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        179⤵
        
        PID:808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        180⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        181⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        182⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        183⤵
        System Location Discovery: System Language Discovery
        
        PID:4080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        184⤵
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        185⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        186⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        187⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        188⤵
        System Location Discovery: System Language Discovery
        
        PID:4024
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        189⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        190⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        191⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        192⤵
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        193⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        194⤵
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        195⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        196⤵
        
        PID:388
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        197⤵
        
        PID:392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        198⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        199⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        200⤵
        
        PID:3812
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        201⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        202⤵
        System Location Discovery: System Language Discovery
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        203⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        204⤵
        
        PID:4744
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        205⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        206⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        207⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        208⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        209⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        210⤵
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        211⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        212⤵
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        213⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        214⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        215⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        216⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        217⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        218⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        219⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        220⤵
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        221⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        222⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        223⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        224⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        225⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        226⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        227⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        228⤵
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        229⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        230⤵
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        231⤵
        System Location Discovery: System Language Discovery
        
        PID:4952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        232⤵
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        233⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        234⤵
        
        PID:3344
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        235⤵
        System Location Discovery: System Language Discovery
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        236⤵
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        237⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        238⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        239⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        240⤵
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        241⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        242⤵
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        243⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        244⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        245⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        246⤵
        
        PID:4272
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        247⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        248⤵
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        249⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        250⤵
        
        PID:100
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        251⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        252⤵
        
        PID:3128
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        253⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        254⤵
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        255⤵
        System Location Discovery: System Language Discovery
        
        PID:4080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        256⤵
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        257⤵
        System Location Discovery: System Language Discovery
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        258⤵
        System Location Discovery: System Language Discovery
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        259⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        260⤵
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        261⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        262⤵
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        263⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        264⤵
        System Location Discovery: System Language Discovery
        
        PID:100
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        265⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        266⤵
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        267⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        268⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        269⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        270⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        271⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        272⤵
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        273⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        274⤵
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        275⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        276⤵
        
        PID:3192
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        277⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        278⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        279⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        280⤵
        
        PID:3128
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        281⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        282⤵
        System Location Discovery: System Language Discovery
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        283⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        284⤵
        System Location Discovery: System Language Discovery
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        285⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        286⤵
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        287⤵
        System Location Discovery: System Language Discovery
        
        PID:4780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        288⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        289⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592"
        290⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592.exe
        
        C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592
        291⤵
        System Location Discovery: System Language Discovery
        
        PID:3224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        290⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        288⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        288⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        288⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 888
        288⤵
        
        PID:244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        286⤵
        
        PID:388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        286⤵
        Modifies registry key
        
        PID:5084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        286⤵
        UAC bypass
        
        PID:4344
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 880
        286⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        284⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        284⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        284⤵
        UAC bypass
        
        PID:2084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3296 -s 880
        284⤵
        
        PID:392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        282⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        282⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        282⤵
        Modifies registry key
        
        PID:1860
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 876
        282⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        280⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        280⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        280⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2576 -s 876
        280⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        278⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        278⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        278⤵
        UAC bypass
        
        PID:3536
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 876
        278⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        276⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        276⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        276⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 864
        276⤵
        
        PID:964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        274⤵
        System Location Discovery: System Language Discovery
        
        PID:1796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        274⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        274⤵
        
        PID:716
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 880
        274⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        272⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        272⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        272⤵
        Modifies registry key
        
        PID:1144
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 872
        272⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        270⤵
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        270⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        270⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 880
        270⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        268⤵
        System Location Discovery: System Language Discovery
        
        PID:4864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        268⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        268⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3224 -s 884
        268⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        266⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        266⤵
        Modifies registry key
        
        PID:4792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        266⤵
        Modifies registry key
        
        PID:3520
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 876
        266⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        264⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        264⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        264⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3832 -s 816
        264⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        262⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        262⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        262⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 876
        262⤵
        
        PID:464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        260⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        260⤵
        
        PID:456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        260⤵
        UAC bypass
        Modifies registry key
        
        PID:2380
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 880
        260⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        258⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        258⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        258⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 868 -s 876
        258⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        256⤵
        
        PID:964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        256⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        256⤵
        Modifies registry key
        
        PID:4644
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 880
        256⤵
        
        PID:776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        254⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        254⤵
        
        PID:716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        254⤵
        UAC bypass
        
        PID:2288
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 876
        254⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        252⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        252⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        252⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 876
        252⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        250⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        250⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        250⤵
        UAC bypass
        
        PID:2720
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 872
        250⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        248⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        248⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        248⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 876
        248⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        246⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        246⤵
        Modifies registry key
        
        PID:3612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        246⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 876
        246⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        244⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        244⤵
        System Location Discovery: System Language Discovery
        
        PID:4220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        244⤵
        System Location Discovery: System Language Discovery
        
        PID:1880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 876
        244⤵
        
        PID:392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        UAC bypass
        
        PID:2872
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 876
        242⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        Modifies registry key
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 888
        240⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 876
        238⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        Modifies registry key
        
        PID:3932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        UAC bypass
        
        PID:2524
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 876
        236⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        
        PID:968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        
        PID:516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4144 -s 888
        234⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        
        PID:336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 876
        232⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 876
        230⤵
        
        PID:556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        System Location Discovery: System Language Discovery
        
        PID:3612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 876
        228⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        Modifies registry key
        
        PID:4268
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 872
        226⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        UAC bypass
        Modifies registry key
        
        PID:4744
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 876
        224⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4560 -s 876
        222⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        Modifies registry key
        
        PID:4472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 876
        220⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        Modifies registry key
        
        PID:1248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 884
        218⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        Modifies registry key
        
        PID:4764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 888
        216⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1736 -s 876
        214⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        Modifies registry key
        
        PID:1064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        
        PID:464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 888
        212⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 876
        210⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        Modifies registry key
        
        PID:5008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 876
        208⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 876
        206⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        UAC bypass
        
        PID:2644
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 888
        204⤵
        
        PID:776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        System Location Discovery: System Language Discovery
        
        PID:1960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        UAC bypass
        
        PID:3188
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3928 -s 876
        202⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        
        PID:456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 880
        200⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        UAC bypass
        
        PID:3596
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 876
        198⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 876
        196⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        Modifies registry key
        
        PID:3668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 868
        194⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        
        PID:216
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 876
        192⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        
        PID:640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 876
        190⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        Modifies registry key
        
        PID:776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        
        PID:720
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 872
        188⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        UAC bypass
        
        PID:1960
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 812
        186⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        System Location Discovery: System Language Discovery
        
        PID:3612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 876
        184⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 876
        182⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        Modifies registry key
        
        PID:2920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        UAC bypass
        
        PID:64
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 808 -s 872
        180⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 876
        178⤵
        
        PID:868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        System Location Discovery: System Language Discovery
        
        PID:2692
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 908
        176⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        UAC bypass
        
        PID:3112
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 516 -s 876
        174⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        UAC bypass
        
        PID:2524
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 888
        172⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        Modifies registry key
        
        PID:4696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 876
        170⤵
        
        PID:540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        UAC bypass
        
        PID:3536
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3188 -s 888
        168⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        UAC bypass
        
        PID:3424
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2644 -s 876
        166⤵
        
        PID:720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2524
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4244 -s 876
        164⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 888
        162⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        UAC bypass
        
        PID:2388
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 888
        160⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        Modifies visibility of file extensions in Explorer
        
        PID:100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        UAC bypass
        
        PID:3660
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2576 -s 876
        158⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3564 -s 872
        156⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 876
        154⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        Modifies visibility of file extensions in Explorer
        
        PID:640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        UAC bypass
        
        PID:3176
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 876
        152⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        Modifies registry key
        
        PID:3932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        UAC bypass
        
        PID:1952
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4220 -s 876
        150⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        Modifies registry key
        
        PID:968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 888
        148⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 872
        146⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        System Location Discovery: System Language Discovery
        
        PID:4312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 876
        144⤵
        
        PID:776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 856
        142⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3184 -s 876
        140⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies registry key
        
        PID:3080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        System Location Discovery: System Language Discovery
        
        PID:4520
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3380 -s 876
        138⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        Modifies registry key
        
        PID:3668
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3532 -s 876
        136⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        
        PID:720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 872
        134⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        UAC bypass
        Modifies registry key
        
        PID:3484
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 876
        132⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        System Location Discovery: System Language Discovery
        
        PID:2480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        
        PID:776
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3600 -s 888
        130⤵
        
        PID:456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 640 -s 876
        128⤵
        Program crash
        
        PID:3668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        System Location Discovery: System Language Discovery
        
        PID:3416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 860
        126⤵
        Program crash
        
        PID:4824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        UAC bypass
        
        PID:2844
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 880
        124⤵
        Program crash
        
        PID:4896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        UAC bypass
        
        PID:2664
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 896
        122⤵
        Program crash
        
        PID:4268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        
        PID:5056
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 888
        120⤵
        Program crash
        
        PID:4964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 896
        118⤵
        Program crash
        
        PID:1004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        Modifies registry key
        
        PID:2788
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1824 -s 876
        116⤵
        Program crash
        
        PID:2844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies registry key
        
        PID:324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        UAC bypass
        
        PID:1076
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 876
        114⤵
        Program crash
        
        PID:3524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        UAC bypass
        Modifies registry key
        
        PID:3620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 720 -s 876
        112⤵
        Program crash
        
        PID:3428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        
        PID:4744
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 876
        110⤵
        Program crash
        
        PID:4476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        UAC bypass
        Modifies registry key
        
        PID:2400
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 880
        108⤵
        Program crash
        
        PID:4696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:3456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:3204
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 876
        106⤵
        Program crash
        
        PID:3600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3780
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 872
        104⤵
        Program crash
        
        PID:1092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        UAC bypass
        Modifies registry key
        
        PID:1960
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 876
        102⤵
        Program crash
        
        PID:4268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        
        PID:544
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 872
        100⤵
        Program crash
        
        PID:1644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 876
        98⤵
        Program crash
        
        PID:1880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 872
        96⤵
        Program crash
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        
        PID:556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        UAC bypass
        
        PID:5064
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 876
        94⤵
        Program crash
        
        PID:4188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies registry key
        
        PID:2868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 876
        92⤵
        Program crash
        
        PID:3704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 876
        90⤵
        Program crash
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        
        PID:4648
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 876
        88⤵
        Program crash
        
        PID:1376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 876
        86⤵
        Program crash
        
        PID:3908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        UAC bypass
        
        PID:3132
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 876
        84⤵
        Program crash
        
        PID:1884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        Modifies registry key
        
        PID:1864
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 876
        82⤵
        Program crash
        
        PID:4736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        Modifies registry key
        
        PID:4964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:4316
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 876
        80⤵
        Program crash
        
        PID:1796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:2996
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 816
        78⤵
        Program crash
        
        PID:4500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        
        PID:720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 876
        76⤵
        Program crash
        
        PID:2312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 872
        74⤵
        Program crash
        
        PID:1692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        UAC bypass
        
        PID:3832
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4316 -s 876
        72⤵
        Program crash
        
        PID:556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies registry key
        
        PID:3428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:1768
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 876
        70⤵
        Program crash
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:776
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 876
        68⤵
        Program crash
        
        PID:448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        Modifies registry key
        
        PID:1480
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 856
        66⤵
        Program crash
        
        PID:2644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2372
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 880
        64⤵
        Program crash
        
        PID:392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        UAC bypass
        
        PID:5004
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 876
        62⤵
        Program crash
        
        PID:5044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        System Location Discovery: System Language Discovery
        
        PID:1772
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 892
        60⤵
        Program crash
        
        PID:2124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 876
        58⤵
        Program crash
        
        PID:556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:3956
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 872
        56⤵
        Program crash
        
        PID:4832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 840
        54⤵
        Program crash
        
        PID:5004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3176 -s 872
        52⤵
        Program crash
        
        PID:3996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:4272
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 872
        50⤵
        Program crash
        
        PID:720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        Modifies registry key
        
        PID:4196
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4320 -s 876
        48⤵
        Program crash
        
        PID:1684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:3324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        Modifies registry key
        
        PID:2644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 872
        46⤵
        Program crash
        
        PID:1388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4840 -s 876
        44⤵
        Program crash
        
        PID:2788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1412
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 876
        42⤵
        Program crash
        
        PID:2520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        Modifies registry key
        
        PID:100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 876
        40⤵
        Program crash
        
        PID:1892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        
        PID:720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        Modifies registry key
        
        PID:4564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 864
        38⤵
        Program crash
        
        PID:4852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 876
        36⤵
        Program crash
        
        PID:1736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        
        PID:1452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 872
        34⤵
        Program crash
        
        PID:4968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 856
        32⤵
        Program crash
        
        PID:1772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies registry key
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 876
        30⤵
        Program crash
        
        PID:3976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 876
        28⤵
        Program crash
        
        PID:3928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 876
        26⤵
        Program crash
        
        PID:3980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 876
        24⤵
        Program crash
        
        PID:2372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:5056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 892
        22⤵
        Program crash
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 876
        20⤵
        Program crash
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 876
        18⤵
        Program crash
        
        PID:1132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 856
        16⤵
        Program crash
        
        PID:2400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        Modifies registry key
        
        PID:3128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:2956
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3224 -s 876
        14⤵
        Program crash
        
        PID:3860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        Modifies registry key
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:216
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 876
        12⤵
        Program crash
        
        PID:220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        Modifies registry key
        
        PID:2888
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 876
        10⤵
        Program crash
        
        PID:1300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        Modifies registry key
        
        PID:4784
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 876
        8⤵
        Program crash
        
        PID:1824
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:744
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:3980
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:516
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 876
        6⤵
        Program crash
        
        PID:5080
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies registry key
      PID:1860
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:3712
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:2844
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3804 -s 876
      4⤵
      Program crash
      PID:4340
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:4296
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:3192
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:4244
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 924
  2⤵
  - Program crash
  PID:3224

C:\ProgramData\XYwkssoQ\oYIoAMEI.exe
C:\ProgramData\XYwkssoQ\oYIoAMEI.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2676 -ip 2676
1⤵
PID:3448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3804 -ip 3804
1⤵
PID:2592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3508 -ip 3508
1⤵
PID:3080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2204 -ip 2204
1⤵
PID:4872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4780 -ip 4780
1⤵
PID:1312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4856 -ip 4856
1⤵
PID:4196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3224 -ip 3224
1⤵
PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3584 -ip 3584
1⤵
PID:4804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3592 -ip 3592
1⤵
PID:3680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3956 -ip 3956
1⤵
PID:3392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2520 -ip 2520
1⤵
PID:448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3456 -ip 3456
1⤵
PID:4244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4720 -ip 4720
1⤵
PID:1772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 4644 -ip 4644
1⤵
PID:1940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3904 -ip 3904
1⤵
PID:2520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4804 -ip 4804
1⤵
PID:4200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2844 -ip 2844
1⤵
PID:3584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4720 -ip 4720
1⤵
PID:2040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4296 -ip 4296
1⤵
PID:2176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3944 -ip 3944
1⤵
PID:1772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2904 -ip 2904
1⤵
PID:2828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4840 -ip 4840
1⤵
PID:3448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3980 -ip 3980
1⤵
PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4320 -ip 4320
1⤵
PID:4308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3944 -ip 3944
1⤵
PID:1796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3176 -ip 3176
1⤵
PID:5084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1860 -ip 1860
1⤵
PID:1084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1376 -ip 1376
1⤵
PID:5044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 3856 -ip 3856
1⤵
PID:3300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4420 -ip 4420
1⤵
PID:1600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4340 -ip 4340
1⤵
PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1844 -ip 1844
1⤵
PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3956 -ip 3956
1⤵
PID:1412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3764 -ip 3764
1⤵
PID:2776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2996 -ip 2996
1⤵
PID:4676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4316 -ip 4316
1⤵
PID:1844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4188 -ip 4188
1⤵
PID:2036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2904 -ip 2904
1⤵
PID:3944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4132 -ip 4132
1⤵
PID:1884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4860 -ip 4860
1⤵
PID:3908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1480 -ip 1480
1⤵
PID:3304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2124 -ip 2124
1⤵
PID:2904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4572 -ip 4572
1⤵
PID:1320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1568 -ip 1568
1⤵
PID:3192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1492 -ip 1492
1⤵
PID:216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2592 -ip 2592
1⤵
PID:1952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3144 -ip 3144
1⤵
PID:3456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4744 -ip 4744
1⤵
PID:2384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3168 -ip 3168
1⤵
PID:1952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 5072 -ip 5072
1⤵
PID:4272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 2192 -ip 2192
1⤵
PID:2424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1884 -ip 1884
1⤵
PID:2996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4964 -ip 4964
1⤵
PID:4272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4312 -ip 4312
1⤵
PID:216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 2604 -ip 2604
1⤵
PID:3424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 720 -ip 720
1⤵
PID:4188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4080 -ip 4080
1⤵
PID:3344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1824 -ip 1824
1⤵
PID:1064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4872 -ip 4872
1⤵
PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 2284 -ip 2284
1⤵
PID:4336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3976 -ip 3976
1⤵
PID:1684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4780 -ip 4780
1⤵
PID:3980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3424 -ip 3424
1⤵
PID:4872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 640 -ip 640
1⤵
PID:2488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3600 -ip 3600
1⤵
PID:2596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3196 -ip 3196
1⤵
PID:3156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2844 -ip 2844
1⤵
PID:4824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3532 -ip 3532
1⤵
PID:3520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3380 -ip 3380
1⤵
PID:456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3184 -ip 3184
1⤵
PID:3196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3144 -ip 3144
1⤵
PID:4700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2488 -ip 2488
1⤵
PID:1268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4268 -ip 4268
1⤵
PID:4340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2996 -ip 2996
1⤵
PID:5008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4220 -ip 4220
1⤵
PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4744 -ip 4744
1⤵
PID:2904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3976 -ip 3976
1⤵
PID:5092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3564 -ip 3564
1⤵
PID:1484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2576 -ip 2576
1⤵
PID:1132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3932 -ip 3932
1⤵
PID:4968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4520 -ip 4520
1⤵
PID:4804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4244 -ip 4244
1⤵
PID:4548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2644 -ip 2644
1⤵
PID:2192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3188 -ip 3188
1⤵
PID:2520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4500 -ip 4500
1⤵
PID:3612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4784 -ip 4784
1⤵
PID:4272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 516 -ip 516
1⤵
PID:4312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1768 -ip 1768
1⤵
PID:3680

C:\ProgramData\eagYIAws\RkowMUUc.exe
C:\ProgramData\eagYIAws\RkowMUUc.exe
1⤵
PID:4324
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 260
  2⤵
  PID:4512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4340 -ip 4340
1⤵
PID:3584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4324 -ip 4324
1⤵
PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3204 -ip 3204
1⤵
PID:3928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 1880 -ip 1880
1⤵
PID:2284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 808 -ip 808
1⤵
PID:4024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4864 -ip 4864
1⤵
PID:4872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4080 -ip 4080
1⤵
PID:3832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3896 -ip 3896
1⤵
PID:3464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3592 -ip 3592
1⤵
PID:2356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4824 -ip 4824
1⤵
PID:3620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4512 -ip 4512
1⤵
PID:3364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3528 -ip 3528
1⤵
PID:2084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3464 -ip 3464
1⤵
PID:4092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 392 -ip 392
1⤵
PID:3620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1980 -ip 1980
1⤵
PID:3364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3928 -ip 3928
1⤵
PID:3600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3140 -ip 3140
1⤵
PID:4092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4268 -ip 4268
1⤵
PID:4864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3196 -ip 3196
1⤵
PID:3364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4824 -ip 4824
1⤵
PID:812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4752 -ip 4752
1⤵
PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1736 -ip 1736
1⤵
PID:64

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4860 -ip 4860
1⤵
PID:1652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4328 -ip 4328
1⤵
PID:2996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1144 -ip 1144
1⤵
PID:3176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4560 -ip 4560
1⤵
PID:3672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5068 -ip 5068
1⤵
PID:3364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3120 -ip 3120
1⤵
PID:216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 2604 -ip 2604
1⤵
PID:3508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4328 -ip 4328
1⤵
PID:64

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4952 -ip 4952
1⤵
PID:1444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4144 -ip 4144
1⤵
PID:2192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2740 -ip 2740
1⤵
PID:4620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4848 -ip 4848
1⤵
PID:1272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4860 -ip 4860
1⤵
PID:3576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3168 -ip 3168
1⤵
PID:1092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2480 -ip 2480
1⤵
PID:5092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1256 -ip 1256
1⤵
PID:2524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4620 -ip 4620
1⤵
PID:3436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1948 -ip 1948
1⤵
PID:3312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4380 -ip 4380
1⤵
PID:4744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5048 -ip 5048
1⤵
PID:4428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4080 -ip 4080
1⤵
PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 868 -ip 868
1⤵
PID:1084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3436 -ip 3436
1⤵
PID:1480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3164 -ip 3164
1⤵
PID:1144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3832 -ip 3832
1⤵
PID:2288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2636 -ip 2636
1⤵
PID:3684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3224 -ip 3224
1⤵
PID:1060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2844 -ip 2844
1⤵
PID:3948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 5080 -ip 5080
1⤵
PID:4188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2348 -ip 2348
1⤵
PID:2588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3980 -ip 3980
1⤵
PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3364 -ip 3364
1⤵
PID:4296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2576 -ip 2576
1⤵
PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 4472 -ip 4472
1⤵
PID:976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3296 -ip 3296
1⤵
PID:1012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3120 -ip 3120
1⤵
PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4780 -ip 4780
1⤵
PID:3380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\XYwkssoQ\oYIoAMEI.exe

Filesize
957KB

MD5
7eac3f0ace5945887b0ca94ad41c64dc

SHA1
8e01ef69712b7a6f56cfc85670e5e8602814161b

SHA256
88caae013d1b079af9660da82f2944ac94023923f8e1cce3dc14051c8d467744

SHA512
866b8133ab89dd09213c6e71f1284f538a062644a6e65bfaebbe046bf2ddb7b58dff7276c5d919e10089d254e668f01a68e0f53dfa6d353a06c9bd416a0d0959

Download Submit
C:\ProgramData\raskQgos\WSsEAYow.exe

Filesize
955KB

MD5
fe52703fceb3b941d561fb43da1976c7

SHA1
fc76d8eb66ce5587b990208aff15a238f32fd015

SHA256
0846c8685ff8f556ac0d3a3c93af9cb860396e4b2a0b4125f591b4acdbc4225e

SHA512
611c0c1e082fd074176468487a1eaea9637b6f3c58a94947ba837c9516b2f4be5fa1756f8c046e977e5940e41a095c2a815a8ba775ff1362d20c03017dec345e

Download Submit
C:\Users\Admin\AppData\Local\Temp\fc65e05fb084c04524d23c52ba4951125943d1d109727c5f78e78b64d5cbd592

Filesize
43KB

MD5
7051c15362866f6411ff4906403f2c54

SHA1
768b062b336675ff9a2b9fcff0ce1057234a5399

SHA256
609824cc9c4f6c26c529ea3eb6f112c1a7c74d5ed58e25b6f9d88dce5944626a

SHA512
5fcbb98b9f421ee9884b8e927774de3d60043401b2f746f7af6aa059fa8a7c48f00ec3c2437f8e6687e0c328d0d2c79427d5ab5eed0805aa9e2a8b12a6418f08

Download Submit
C:\Users\Admin\IkQMocwY\NUgkowgc.exe

Filesize
954KB

MD5
520ac200b86703c33d8b2b2768550493

SHA1
ff80e77737d80eb5a6704880fcbbc62e9f0366b0

SHA256
436198f674eca859dcedeaa9793670bb7cb2ce548bf7ffc0141c743276207981

SHA512
da79dc250a7c66c9908f6f440133a390151e454daeb27602b7a509d97299f7d7067be7ce94622ac3e69938615bbf58fbcdc8fbceda83ded3a135683e7f3c2cad

Download Submit
memory/2304-7-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/2304-10-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/2304-87-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/2304-98-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/2676-0-0x0000000000401000-0x00000000004F7000-memory.dmp

Filesize
984KB

Download
memory/2676-1-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/2676-26-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/2676-25-0x0000000000401000-0x00000000004F7000-memory.dmp

Filesize
984KB

Download
memory/4828-15-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/4828-115-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download