9006a321a4b39ea4288ba9e2c951eca18b6ed2c3bafcb259babf0297bb3d7289

Analysis

max time kernel
139s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
18/07/2023, 16:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c53c092089ab85_JC.exe
Size

245KB
MD5

c53c092089ab85d8854bf5d66d53fcbc
SHA1

4813169600a2e76373392d704aaf48c73a4c2fc1
SHA256

9006a321a4b39ea4288ba9e2c951eca18b6ed2c3bafcb259babf0297bb3d7289
SHA512

47243c3d0a739ff42ebf042edb925bf6bf62b36d770dd616b9615eb8b0a65fe825d7508bc038418e8aeb8b9617c6760662343a62aecb26e8c5f7171af2438cdd
SSDEEP

6144:heYvqHehD1ngC5SMLlN6AaxhAHEmXtxUE6aTk81Pz:8jHWD1ngyLWzbmbpA6z

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 34 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	c53c092089ab85_JC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cscript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Conhost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 36 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	BackgroundTransferHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskkill.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c53c092089ab85_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c53c092089ab85_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 2 IoCs

pid	Process
4784	aEokokIk.exe
3948	OaQcMQQY.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OaQcMQQY.exe = "C:\\ProgramData\\cAkEoggw\\OaQcMQQY.exe"	OaQcMQQY.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aEokokIk.exe = "C:\\Users\\Admin\\ZaoUYswQ\\aEokokIk.exe"	c53c092089ab85_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OaQcMQQY.exe = "C:\\ProgramData\\cAkEoggw\\OaQcMQQY.exe"	c53c092089ab85_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aEokokIk.exe = "C:\\Users\\Admin\\ZaoUYswQ\\aEokokIk.exe"	aEokokIk.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c53c092089ab85_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c53c092089ab85_JC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c53c092089ab85_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c53c092089ab85_JC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
1432	taskkill.exe
4624	taskkill.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
1448	reg.exe
1200	reg.exe
4876	reg.exe
2712	reg.exe
2796	reg.exe
2712	reg.exe
4824	reg.exe
4116	reg.exe
4404	reg.exe
3052	reg.exe
3640	reg.exe
2568	reg.exe
4876	reg.exe
1404	reg.exe
1816	reg.exe
3260	reg.exe
4464	reg.exe
1388	reg.exe
1348	reg.exe
1348	reg.exe
4112	reg.exe
4160	reg.exe
2004	reg.exe
1932	reg.exe
1568	reg.exe
1432	reg.exe
4584	reg.exe
448	reg.exe
4364	reg.exe
984	reg.exe
2184	reg.exe
3676	reg.exe
2016	reg.exe
3208	reg.exe
2732	reg.exe
1664	reg.exe
4276	reg.exe
4696	reg.exe
4336	reg.exe
3352	reg.exe
1916	reg.exe
1376	reg.exe
2016	reg.exe
656	reg.exe
2924	reg.exe
4924	reg.exe
632	reg.exe
2336	reg.exe
452	reg.exe
3404	reg.exe
4408	reg.exe
704	reg.exe
3836	reg.exe
4744	reg.exe
4552	reg.exe
4892	reg.exe
3812	reg.exe
4232	reg.exe
1592	reg.exe
2192	reg.exe
3812	reg.exe
2892	reg.exe
4264	reg.exe
4088	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
636	c53c092089ab85_JC.exe
636	c53c092089ab85_JC.exe
636	c53c092089ab85_JC.exe
636	c53c092089ab85_JC.exe
708	c53c092089ab85_JC.exe
708	c53c092089ab85_JC.exe
708	c53c092089ab85_JC.exe
708	c53c092089ab85_JC.exe
1544	c53c092089ab85_JC.exe
1544	c53c092089ab85_JC.exe
1544	c53c092089ab85_JC.exe
1544	c53c092089ab85_JC.exe
4844	c53c092089ab85_JC.exe
4844	c53c092089ab85_JC.exe
4844	c53c092089ab85_JC.exe
4844	c53c092089ab85_JC.exe
732	Process not Found
732	Process not Found
732	Process not Found
732	Process not Found
3380	c53c092089ab85_JC.exe
3380	c53c092089ab85_JC.exe
3380	c53c092089ab85_JC.exe
3380	c53c092089ab85_JC.exe
3592	c53c092089ab85_JC.exe
3592	c53c092089ab85_JC.exe
3592	c53c092089ab85_JC.exe
3592	c53c092089ab85_JC.exe
4496	c53c092089ab85_JC.exe
4496	c53c092089ab85_JC.exe
4496	c53c092089ab85_JC.exe
4496	c53c092089ab85_JC.exe
2948	c53c092089ab85_JC.exe
2948	c53c092089ab85_JC.exe
2948	c53c092089ab85_JC.exe
2948	c53c092089ab85_JC.exe
4516	c53c092089ab85_JC.exe
4516	c53c092089ab85_JC.exe
4516	c53c092089ab85_JC.exe
4516	c53c092089ab85_JC.exe
220	Conhost.exe
220	Conhost.exe
220	Conhost.exe
220	Conhost.exe
1200	Conhost.exe
1200	Conhost.exe
1200	Conhost.exe
1200	Conhost.exe
4448	mousocoreworker.exe
4448	mousocoreworker.exe
4448	mousocoreworker.exe
4448	mousocoreworker.exe
3484	wmiprvse.exe
3484	wmiprvse.exe
3484	wmiprvse.exe
3484	wmiprvse.exe
3904	cmd.exe
3904	cmd.exe
3904	cmd.exe
3904	cmd.exe
4832	cscript.exe
4832	cscript.exe
4832	cscript.exe
4832	cscript.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1432	taskkill.exe
Token: SeDebugPrivilege	4624	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 636 wrote to memory of 4784	636	c53c092089ab85_JC.exe	85
PID 636 wrote to memory of 4784	636	c53c092089ab85_JC.exe	85
PID 636 wrote to memory of 4784	636	c53c092089ab85_JC.exe	85
PID 636 wrote to memory of 3948	636	c53c092089ab85_JC.exe	86
PID 636 wrote to memory of 3948	636	c53c092089ab85_JC.exe	86
PID 636 wrote to memory of 3948	636	c53c092089ab85_JC.exe	86
PID 636 wrote to memory of 340	636	c53c092089ab85_JC.exe	87
PID 636 wrote to memory of 340	636	c53c092089ab85_JC.exe	87
PID 636 wrote to memory of 340	636	c53c092089ab85_JC.exe	87
PID 636 wrote to memory of 4460	636	c53c092089ab85_JC.exe	89
PID 636 wrote to memory of 4460	636	c53c092089ab85_JC.exe	89
PID 636 wrote to memory of 4460	636	c53c092089ab85_JC.exe	89
PID 636 wrote to memory of 4112	636	c53c092089ab85_JC.exe	90
PID 636 wrote to memory of 4112	636	c53c092089ab85_JC.exe	90
PID 636 wrote to memory of 4112	636	c53c092089ab85_JC.exe	90
PID 636 wrote to memory of 2732	636	c53c092089ab85_JC.exe	91
PID 636 wrote to memory of 2732	636	c53c092089ab85_JC.exe	91
PID 636 wrote to memory of 2732	636	c53c092089ab85_JC.exe	91
PID 636 wrote to memory of 924	636	c53c092089ab85_JC.exe	92
PID 636 wrote to memory of 924	636	c53c092089ab85_JC.exe	92
PID 636 wrote to memory of 924	636	c53c092089ab85_JC.exe	92
PID 340 wrote to memory of 708	340	cmd.exe	97
PID 340 wrote to memory of 708	340	cmd.exe	97
PID 340 wrote to memory of 708	340	cmd.exe	97
PID 924 wrote to memory of 3932	924	cmd.exe	98
PID 924 wrote to memory of 3932	924	cmd.exe	98
PID 924 wrote to memory of 3932	924	cmd.exe	98
PID 708 wrote to memory of 3228	708	c53c092089ab85_JC.exe	99
PID 708 wrote to memory of 3228	708	c53c092089ab85_JC.exe	99
PID 708 wrote to memory of 3228	708	c53c092089ab85_JC.exe	99
PID 708 wrote to memory of 3640	708	c53c092089ab85_JC.exe	101
PID 708 wrote to memory of 3640	708	c53c092089ab85_JC.exe	101
PID 708 wrote to memory of 3640	708	c53c092089ab85_JC.exe	101
PID 708 wrote to memory of 4264	708	c53c092089ab85_JC.exe	102
PID 708 wrote to memory of 4264	708	c53c092089ab85_JC.exe	102
PID 708 wrote to memory of 4264	708	c53c092089ab85_JC.exe	102
PID 708 wrote to memory of 4816	708	c53c092089ab85_JC.exe	107
PID 708 wrote to memory of 4816	708	c53c092089ab85_JC.exe	107
PID 708 wrote to memory of 4816	708	c53c092089ab85_JC.exe	107
PID 708 wrote to memory of 4268	708	c53c092089ab85_JC.exe	106
PID 708 wrote to memory of 4268	708	c53c092089ab85_JC.exe	106
PID 708 wrote to memory of 4268	708	c53c092089ab85_JC.exe	106
PID 3228 wrote to memory of 1544	3228	cmd.exe	109
PID 3228 wrote to memory of 1544	3228	cmd.exe	109
PID 3228 wrote to memory of 1544	3228	cmd.exe	109
PID 4268 wrote to memory of 3472	4268	cmd.exe	110
PID 4268 wrote to memory of 3472	4268	cmd.exe	110
PID 4268 wrote to memory of 3472	4268	cmd.exe	110
PID 1544 wrote to memory of 1136	1544	c53c092089ab85_JC.exe	111
PID 1544 wrote to memory of 1136	1544	c53c092089ab85_JC.exe	111
PID 1544 wrote to memory of 1136	1544	c53c092089ab85_JC.exe	111
PID 1544 wrote to memory of 3812	1544	c53c092089ab85_JC.exe	121
PID 1544 wrote to memory of 3812	1544	c53c092089ab85_JC.exe	121
PID 1544 wrote to memory of 3812	1544	c53c092089ab85_JC.exe	121
PID 1544 wrote to memory of 2636	1544	c53c092089ab85_JC.exe	119
PID 1544 wrote to memory of 2636	1544	c53c092089ab85_JC.exe	119
PID 1544 wrote to memory of 2636	1544	c53c092089ab85_JC.exe	119
PID 1544 wrote to memory of 2000	1544	c53c092089ab85_JC.exe	114
PID 1544 wrote to memory of 2000	1544	c53c092089ab85_JC.exe	114
PID 1544 wrote to memory of 2000	1544	c53c092089ab85_JC.exe	114
PID 1544 wrote to memory of 1780	1544	c53c092089ab85_JC.exe	113
PID 1544 wrote to memory of 1780	1544	c53c092089ab85_JC.exe	113
PID 1544 wrote to memory of 1780	1544	c53c092089ab85_JC.exe	113
PID 1136 wrote to memory of 4844	1136	cmd.exe	120

System policy modification 1 TTPs 8 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	c53c092089ab85_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c53c092089ab85_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	c53c092089ab85_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c53c092089ab85_JC.exe

C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe
"C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:636
- C:\Users\Admin\ZaoUYswQ\aEokokIk.exe
  "C:\Users\Admin\ZaoUYswQ\aEokokIk.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4784
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "USERNAME eq Admin" /F /IM OaQcMQQY.exe
    3⤵
    - UAC bypass
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1432
- C:\ProgramData\cAkEoggw\OaQcMQQY.exe
  "C:\ProgramData\cAkEoggw\OaQcMQQY.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3948
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /FI "USERNAME eq Admin" /F /IM aEokokIk.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4624
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:876
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:340
- - C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe
    C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:708
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3228
    - - C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1544
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC"
        8⤵
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC
        9⤵
        
        PID:732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC"
        10⤵
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC"
        12⤵
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC"
        14⤵
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC"
        16⤵
        
        PID:3228
        
        C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC"
        18⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC"
        20⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC
        21⤵
        
        PID:220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC"
        22⤵
        
        PID:3396
        
        C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC
        23⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC"
        24⤵
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC
        25⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC"
        26⤵
        
        PID:4364
        
        C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC
        27⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC"
        28⤵
        
        PID:1168
        
        C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC
        29⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC"
        30⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC
        31⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC"
        32⤵
        
        PID:1260
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        33⤵
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC
        33⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC"
        34⤵
        
        PID:212
        
        C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC
        35⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC"
        36⤵
        
        PID:748
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC
        37⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC"
        38⤵
        
        PID:820
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        39⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4744
        
        C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC
        39⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC"
        40⤵
        
        PID:1240
        
        C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC
        41⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC"
        42⤵
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC
        43⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC"
        44⤵
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC
        45⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC"
        46⤵
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC
        47⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC"
        48⤵
        
        PID:2764
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        49⤵
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC
        49⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC"
        50⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC
        51⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC"
        52⤵
        
        PID:1044
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        
        PID:4364
        
        C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC
        53⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC"
        54⤵
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC
        55⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC"
        56⤵
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC
        57⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC"
        58⤵
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC
        59⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC"
        60⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC
        61⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC"
        62⤵
        
        PID:4088
        
        C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC
        63⤵
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC"
        64⤵
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC
        65⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC"
        66⤵
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC
        67⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC"
        68⤵
        
        PID:928
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC
        69⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC"
        70⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:1816
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC
        71⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC"
        72⤵
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe
        
        C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC
        73⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC"
        74⤵
        
        PID:3752
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hqEMokQs.bat" "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe""
        74⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        
        PID:668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PQYYckAw.bat" "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe""
        72⤵
        
        PID:1592
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        73⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        Modifies registry key
        
        PID:3052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        Modifies registry key
        
        PID:656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tIQccYEg.bat" "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe""
        70⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        Modifies registry key
        
        PID:2892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        Modifies registry key
        
        PID:4584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UIkgsoYU.bat" "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe""
        68⤵
        
        PID:2428
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        Modifies registry key
        
        PID:3352
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\amwcocQk.bat" "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe""
        66⤵
        
        PID:1884
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        UAC bypass
        Checks whether UAC is enabled
        System policy modification
        
        PID:540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        UAC bypass
        Modifies registry key
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1784
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        UAC bypass
        
        PID:5108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yQgcwQAg.bat" "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe""
        64⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YWQMwoow.bat" "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe""
        62⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        Modifies registry key
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        Modifies registry key
        
        PID:452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        Modifies registry key
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rIoUgQQQ.bat" "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe""
        60⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        Modifies registry key
        
        PID:4160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:3812
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        Modifies registry key
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bwwgEoAM.bat" "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe""
        58⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        Modifies visibility of file extensions in Explorer
        UAC bypass
        
        PID:4392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies registry key
        
        PID:4876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        Modifies registry key
        
        PID:4116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BQkUYsEA.bat" "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe""
        56⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        Modifies registry key
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RoYUsMQQ.bat" "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe""
        54⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:3404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        Modifies registry key
        
        PID:4824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        
        PID:1348
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        55⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bAMoEwYg.bat" "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe""
        52⤵
        
        PID:4844
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        Modifies registry key
        
        PID:3260
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        Modifies registry key
        
        PID:2712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        UAC bypass
        Modifies registry key
        
        PID:3676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oKQMYsAE.bat" "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe""
        50⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies registry key
        
        PID:3812
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        50⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aqMoUQMw.bat" "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe""
        48⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        Modifies registry key
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IuYgIwQw.bat" "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe""
        46⤵
        
        PID:3172
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        UAC bypass
        
        PID:1648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        Modifies registry key
        
        PID:1404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies registry key
        
        PID:1348
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        Modifies registry key
        
        PID:4364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KWUosgsg.bat" "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe""
        44⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        
        PID:324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eWkUcgAg.bat" "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe""
        42⤵
        
        PID:656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:3020
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        UAC bypass
        
        PID:324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        Modifies registry key
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4924
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        41⤵
        Modifies visibility of file extensions in Explorer
        Suspicious behavior: EnumeratesProcesses
        
        PID:1200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        Modifies registry key
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vOwgoMAc.bat" "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe""
        40⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        Modifies registry key
        
        PID:2184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dKYcoUQQ.bat" "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe""
        38⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3904
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        Modifies registry key
        
        PID:4552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        Modifies registry key
        
        PID:4892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BigEkQcA.bat" "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe""
        36⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        UAC bypass
        Modifies registry key
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dqYgMoUQ.bat" "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe""
        34⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies registry key
        
        PID:2192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        Modifies registry key
        
        PID:3404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        Modifies registry key
        
        PID:1200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OigAsUQE.bat" "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe""
        32⤵
        
        PID:4716
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        33⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        Modifies registry key
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UuwEwQAY.bat" "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe""
        30⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        Modifies registry key
        
        PID:4696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YQcMEIcM.bat" "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe""
        28⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:3096
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:4268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AEsYwkAs.bat" "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe""
        26⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        Modifies registry key
        
        PID:3836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GcggQUAY.bat" "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe""
        24⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZAYYsEoU.bat" "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe""
        22⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        Modifies registry key
        
        PID:1388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rqscIsoc.bat" "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe""
        20⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        Modifies registry key
        
        PID:4232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        Modifies registry key
        
        PID:984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies registry key
        
        PID:4744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PMgAcgMk.bat" "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe""
        18⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xCssYwMk.bat" "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe""
        16⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        Modifies registry key
        
        PID:2924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        Modifies registry key
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eiogEwwU.bat" "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe""
        14⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        Modifies registry key
        
        PID:4276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2672
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        13⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZwkgUcIQ.bat" "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe""
        12⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        UAC bypass
        
        PID:1124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        Modifies registry key
        
        PID:1568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies registry key
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NEsMkogc.bat" "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe""
        10⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:4696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        Modifies registry key
        
        PID:1376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies registry key
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TmAkkUow.bat" "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe""
        8⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        Modifies registry key
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        Modifies registry key
        
        PID:2568
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VwUwQYMA.bat" "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe""
        6⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:1688
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:2000
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:2636
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3812
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies registry key
      PID:3640
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:4264
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CEIwIQMY.bat" "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4268
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:3472
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      UAC bypass
      PID:4816
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:4460
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:4112
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  - Modifies registry key
  PID:2732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uUAwckYs.bat" "C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:924
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:3932

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4868

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2416

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3484

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- UAC bypass
PID:2868

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4964

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4448

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3320

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:1616

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
- UAC bypass
PID:3052

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv ffoxPFCPvkeq60TJ2L127Q.0.2
1⤵
PID:2868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\cAkEoggw\OaQcMQQY.exe

Filesize
188KB

MD5
5de63863b04e6b87662917cf3fc534a4

SHA1
44eef0ef6dd5a2c26706cca7bb7f1a629aaef149

SHA256
357ba426418be899bb9619518b02a94255b699e0ec8dbab46e83ba40558ef3a2

SHA512
4711d5416f8f82b288c70e7b8644db074c21d77763bd0831d16e33197fb6f533a5326ee73efda702f1c1d03d0141636e07459d9bd5c6c10fe2b22cd7c3609730

Download Submit
C:\ProgramData\cAkEoggw\OaQcMQQY.exe

Filesize
188KB

MD5
5de63863b04e6b87662917cf3fc534a4

SHA1
44eef0ef6dd5a2c26706cca7bb7f1a629aaef149

SHA256
357ba426418be899bb9619518b02a94255b699e0ec8dbab46e83ba40558ef3a2

SHA512
4711d5416f8f82b288c70e7b8644db074c21d77763bd0831d16e33197fb6f533a5326ee73efda702f1c1d03d0141636e07459d9bd5c6c10fe2b22cd7c3609730

Download Submit
C:\ProgramData\cAkEoggw\OaQcMQQY.inf

Filesize
4B

MD5
7f1f8332c338dccfcfa09858440d440f

SHA1
38c16099779df8a212b4026e71ba42a7575b804b

SHA256
b719b2c434e8a3907c59de7d763385f3eaf8200d7ee43f7eb7ec95cfc11f220e

SHA512
1ddf46b9ded2bc5735d7ab7b0b8e783e0ad055abc407df0e80935f1f733cf31eedd0d56cee29e4ac15803d3e29daa7bc825f7e0e64991fcbecc1dfd2d556caee

Download Submit
C:\ProgramData\cAkEoggw\OaQcMQQY.inf

Filesize
4B

MD5
1ee715783dc9ca25029a7b9ec90ae7ab

SHA1
217e14f8eac132012e9d978b38cfe6220f9df592

SHA256
ef95a210df0b57f5d2a4d376f14adfcec9b9b485bb72aecdfe0181362c483692

SHA512
0acbefcb68e7fea50cb487e7fe78b9a661582e1c3f14dbbe91fe3857a4c886970a813f33b3a52bce5ff5ab10a06995e778dbbf07193422a6af3937a827173154

Download Submit
C:\ProgramData\cAkEoggw\OaQcMQQY.inf

Filesize
4B

MD5
01b036f30bcf07d8824129e4a1535418

SHA1
f4e213f03a2583d48f790a1298d5194e32614511

SHA256
d9ea61a83c45c96fb0707ec8b32fffb20a68f337ac214b218745fe0cf143906d

SHA512
8fc0e826637e82440591e40a39c0c92e34fef6cb0e79661aa37431695772a8420f3ac5474f9ddf4676f663d5e022bcebea196da2ded1a40a5248ca8a032a44f1

Download Submit
C:\ProgramData\cAkEoggw\OaQcMQQY.inf

Filesize
4B

MD5
cc86e92ac629039ca32265e42ba42a45

SHA1
4d198a85977a1e4269ad83f80844f679b9381e38

SHA256
0e6e58da902b0fa3d08c2551b0eb9c8f17b0a28ffe030e5d942d7f41fe7c7b9c

SHA512
9e0a8161ca7d3781902536646be8fd3f3ca64a9cfd6ed0a53df8d0106bbc7effb9fd760e97f9302491ed3e8416be5e91c1204b611ff6d7d4f6f4b385038f5f64

Download Submit
C:\ProgramData\cAkEoggw\OaQcMQQY.inf

Filesize
4B

MD5
63f8341c935e0d5ed6c8db14ab0ebfdb

SHA1
257f1cee2b11523418d963f0570cca15ca53d5f7

SHA256
79b92f7f12fccc9f6357f09657b60bc932ccbd5bf1269436b32402d4813ee233

SHA512
4d9a918f4fd6342c4afd61207d30664eed08a184691da4ca68c8fe6a7631075791df2e3ae90047b43b8129b9150f41b145b15c0419339088ff77a236e4235d67

Download Submit
C:\Users\Admin\AppData\Local\Temp\AEsYwkAs.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\CEIwIQMY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\GcggQUAY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEsMkogc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\OigAsUQE.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\PMgAcgMk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmAkkUow.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\UuwEwQAY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\VwUwQYMA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\VwUwQYMA.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQcMEIcM.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZAYYsEoU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZwkgUcIQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC

Filesize
48KB

MD5
3112db426b23656c88a16cb67178da8e

SHA1
d91f012df2c62efac5cf69960e7e2e527a8eddee

SHA256
96a7352a3a51d1a15de013eccb3e13b87c4bc23a0275b7ca9e03fd0c7579e1ba

SHA512
375a9398e0ca437445758870a8e916974c6c2d8e08664d5132c3662ea059182a41b5fd9521e19f9c4813e0fe5355a30f0e60bc9d02ebca199eac82ffe1241a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC

Filesize
48KB

MD5
3112db426b23656c88a16cb67178da8e

SHA1
d91f012df2c62efac5cf69960e7e2e527a8eddee

SHA256
96a7352a3a51d1a15de013eccb3e13b87c4bc23a0275b7ca9e03fd0c7579e1ba

SHA512
375a9398e0ca437445758870a8e916974c6c2d8e08664d5132c3662ea059182a41b5fd9521e19f9c4813e0fe5355a30f0e60bc9d02ebca199eac82ffe1241a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC

Filesize
48KB

MD5
3112db426b23656c88a16cb67178da8e

SHA1
d91f012df2c62efac5cf69960e7e2e527a8eddee

SHA256
96a7352a3a51d1a15de013eccb3e13b87c4bc23a0275b7ca9e03fd0c7579e1ba

SHA512
375a9398e0ca437445758870a8e916974c6c2d8e08664d5132c3662ea059182a41b5fd9521e19f9c4813e0fe5355a30f0e60bc9d02ebca199eac82ffe1241a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC

Filesize
48KB

MD5
3112db426b23656c88a16cb67178da8e

SHA1
d91f012df2c62efac5cf69960e7e2e527a8eddee

SHA256
96a7352a3a51d1a15de013eccb3e13b87c4bc23a0275b7ca9e03fd0c7579e1ba

SHA512
375a9398e0ca437445758870a8e916974c6c2d8e08664d5132c3662ea059182a41b5fd9521e19f9c4813e0fe5355a30f0e60bc9d02ebca199eac82ffe1241a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC

Filesize
48KB

MD5
3112db426b23656c88a16cb67178da8e

SHA1
d91f012df2c62efac5cf69960e7e2e527a8eddee

SHA256
96a7352a3a51d1a15de013eccb3e13b87c4bc23a0275b7ca9e03fd0c7579e1ba

SHA512
375a9398e0ca437445758870a8e916974c6c2d8e08664d5132c3662ea059182a41b5fd9521e19f9c4813e0fe5355a30f0e60bc9d02ebca199eac82ffe1241a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC

Filesize
48KB

MD5
3112db426b23656c88a16cb67178da8e

SHA1
d91f012df2c62efac5cf69960e7e2e527a8eddee

SHA256
96a7352a3a51d1a15de013eccb3e13b87c4bc23a0275b7ca9e03fd0c7579e1ba

SHA512
375a9398e0ca437445758870a8e916974c6c2d8e08664d5132c3662ea059182a41b5fd9521e19f9c4813e0fe5355a30f0e60bc9d02ebca199eac82ffe1241a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC

Filesize
48KB

MD5
3112db426b23656c88a16cb67178da8e

SHA1
d91f012df2c62efac5cf69960e7e2e527a8eddee

SHA256
96a7352a3a51d1a15de013eccb3e13b87c4bc23a0275b7ca9e03fd0c7579e1ba

SHA512
375a9398e0ca437445758870a8e916974c6c2d8e08664d5132c3662ea059182a41b5fd9521e19f9c4813e0fe5355a30f0e60bc9d02ebca199eac82ffe1241a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC

Filesize
48KB

MD5
3112db426b23656c88a16cb67178da8e

SHA1
d91f012df2c62efac5cf69960e7e2e527a8eddee

SHA256
96a7352a3a51d1a15de013eccb3e13b87c4bc23a0275b7ca9e03fd0c7579e1ba

SHA512
375a9398e0ca437445758870a8e916974c6c2d8e08664d5132c3662ea059182a41b5fd9521e19f9c4813e0fe5355a30f0e60bc9d02ebca199eac82ffe1241a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC

Filesize
48KB

MD5
3112db426b23656c88a16cb67178da8e

SHA1
d91f012df2c62efac5cf69960e7e2e527a8eddee

SHA256
96a7352a3a51d1a15de013eccb3e13b87c4bc23a0275b7ca9e03fd0c7579e1ba

SHA512
375a9398e0ca437445758870a8e916974c6c2d8e08664d5132c3662ea059182a41b5fd9521e19f9c4813e0fe5355a30f0e60bc9d02ebca199eac82ffe1241a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC

Filesize
48KB

MD5
3112db426b23656c88a16cb67178da8e

SHA1
d91f012df2c62efac5cf69960e7e2e527a8eddee

SHA256
96a7352a3a51d1a15de013eccb3e13b87c4bc23a0275b7ca9e03fd0c7579e1ba

SHA512
375a9398e0ca437445758870a8e916974c6c2d8e08664d5132c3662ea059182a41b5fd9521e19f9c4813e0fe5355a30f0e60bc9d02ebca199eac82ffe1241a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC

Filesize
48KB

MD5
3112db426b23656c88a16cb67178da8e

SHA1
d91f012df2c62efac5cf69960e7e2e527a8eddee

SHA256
96a7352a3a51d1a15de013eccb3e13b87c4bc23a0275b7ca9e03fd0c7579e1ba

SHA512
375a9398e0ca437445758870a8e916974c6c2d8e08664d5132c3662ea059182a41b5fd9521e19f9c4813e0fe5355a30f0e60bc9d02ebca199eac82ffe1241a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC

Filesize
48KB

MD5
3112db426b23656c88a16cb67178da8e

SHA1
d91f012df2c62efac5cf69960e7e2e527a8eddee

SHA256
96a7352a3a51d1a15de013eccb3e13b87c4bc23a0275b7ca9e03fd0c7579e1ba

SHA512
375a9398e0ca437445758870a8e916974c6c2d8e08664d5132c3662ea059182a41b5fd9521e19f9c4813e0fe5355a30f0e60bc9d02ebca199eac82ffe1241a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC

Filesize
48KB

MD5
3112db426b23656c88a16cb67178da8e

SHA1
d91f012df2c62efac5cf69960e7e2e527a8eddee

SHA256
96a7352a3a51d1a15de013eccb3e13b87c4bc23a0275b7ca9e03fd0c7579e1ba

SHA512
375a9398e0ca437445758870a8e916974c6c2d8e08664d5132c3662ea059182a41b5fd9521e19f9c4813e0fe5355a30f0e60bc9d02ebca199eac82ffe1241a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC

Filesize
48KB

MD5
3112db426b23656c88a16cb67178da8e

SHA1
d91f012df2c62efac5cf69960e7e2e527a8eddee

SHA256
96a7352a3a51d1a15de013eccb3e13b87c4bc23a0275b7ca9e03fd0c7579e1ba

SHA512
375a9398e0ca437445758870a8e916974c6c2d8e08664d5132c3662ea059182a41b5fd9521e19f9c4813e0fe5355a30f0e60bc9d02ebca199eac82ffe1241a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC

Filesize
48KB

MD5
3112db426b23656c88a16cb67178da8e

SHA1
d91f012df2c62efac5cf69960e7e2e527a8eddee

SHA256
96a7352a3a51d1a15de013eccb3e13b87c4bc23a0275b7ca9e03fd0c7579e1ba

SHA512
375a9398e0ca437445758870a8e916974c6c2d8e08664d5132c3662ea059182a41b5fd9521e19f9c4813e0fe5355a30f0e60bc9d02ebca199eac82ffe1241a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC

Filesize
48KB

MD5
3112db426b23656c88a16cb67178da8e

SHA1
d91f012df2c62efac5cf69960e7e2e527a8eddee

SHA256
96a7352a3a51d1a15de013eccb3e13b87c4bc23a0275b7ca9e03fd0c7579e1ba

SHA512
375a9398e0ca437445758870a8e916974c6c2d8e08664d5132c3662ea059182a41b5fd9521e19f9c4813e0fe5355a30f0e60bc9d02ebca199eac82ffe1241a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\c53c092089ab85_JC

Filesize
48KB

MD5
3112db426b23656c88a16cb67178da8e

SHA1
d91f012df2c62efac5cf69960e7e2e527a8eddee

SHA256
96a7352a3a51d1a15de013eccb3e13b87c4bc23a0275b7ca9e03fd0c7579e1ba

SHA512
375a9398e0ca437445758870a8e916974c6c2d8e08664d5132c3662ea059182a41b5fd9521e19f9c4813e0fe5355a30f0e60bc9d02ebca199eac82ffe1241a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\dqYgMoUQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\eiogEwwU.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcMO.exe

Filesize
5.2MB

MD5
a5ef80c7d2d1bcd4d8dd0ff9b2ef4be6

SHA1
33ac6152e994ab834be8d7c6f75a02eafa8e16a9

SHA256
d38913b81e54bd4d7c878de1968b9ca7d85fb8573ef618b4d746c143b87f8e2e

SHA512
26f8ffb3a0bd55de21be305f010b47eb6213190db654ff13594171e8d052c83febe30182d7b6b16a596ebc82e0e8ced1c2e63f5693008db9790030606ffc0a24

Download Submit
C:\Users\Admin\AppData\Local\Temp\rqscIsoc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\uUAwckYs.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\xCssYwMk.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\ZaoUYswQ\aEokokIk.exe

Filesize
192KB

MD5
5f9cc9bdf1a3c03169421d6987ca0666

SHA1
7dbc810ac8a7a83667d6b692bc05060f2babe678

SHA256
cbb60033754a8cea3289c1f351db4d96140f7365c27f116ecceb3291b41a5bd0

SHA512
b1c22912f54ca4f7d4f4926073f4d5e0c2d9a166c5f324c6c477961dd84d85bff14a1661441f84aa56537ef391a362417f74b3814b6af97646fc90a981e9597b

Download Submit
C:\Users\Admin\ZaoUYswQ\aEokokIk.exe

Filesize
192KB

MD5
5f9cc9bdf1a3c03169421d6987ca0666

SHA1
7dbc810ac8a7a83667d6b692bc05060f2babe678

SHA256
cbb60033754a8cea3289c1f351db4d96140f7365c27f116ecceb3291b41a5bd0

SHA512
b1c22912f54ca4f7d4f4926073f4d5e0c2d9a166c5f324c6c477961dd84d85bff14a1661441f84aa56537ef391a362417f74b3814b6af97646fc90a981e9597b

Download Submit
C:\Users\Admin\ZaoUYswQ\aEokokIk.inf

Filesize
4B

MD5
7f1f8332c338dccfcfa09858440d440f

SHA1
38c16099779df8a212b4026e71ba42a7575b804b

SHA256
b719b2c434e8a3907c59de7d763385f3eaf8200d7ee43f7eb7ec95cfc11f220e

SHA512
1ddf46b9ded2bc5735d7ab7b0b8e783e0ad055abc407df0e80935f1f733cf31eedd0d56cee29e4ac15803d3e29daa7bc825f7e0e64991fcbecc1dfd2d556caee

Download Submit
C:\Users\Admin\ZaoUYswQ\aEokokIk.inf

Filesize
4B

MD5
1ee715783dc9ca25029a7b9ec90ae7ab

SHA1
217e14f8eac132012e9d978b38cfe6220f9df592

SHA256
ef95a210df0b57f5d2a4d376f14adfcec9b9b485bb72aecdfe0181362c483692

SHA512
0acbefcb68e7fea50cb487e7fe78b9a661582e1c3f14dbbe91fe3857a4c886970a813f33b3a52bce5ff5ab10a06995e778dbbf07193422a6af3937a827173154

Download Submit
C:\Users\Admin\ZaoUYswQ\aEokokIk.inf

Filesize
4B

MD5
01b036f30bcf07d8824129e4a1535418

SHA1
f4e213f03a2583d48f790a1298d5194e32614511

SHA256
d9ea61a83c45c96fb0707ec8b32fffb20a68f337ac214b218745fe0cf143906d

SHA512
8fc0e826637e82440591e40a39c0c92e34fef6cb0e79661aa37431695772a8420f3ac5474f9ddf4676f663d5e022bcebea196da2ded1a40a5248ca8a032a44f1

Download Submit
C:\Users\Admin\ZaoUYswQ\aEokokIk.inf

Filesize
4B

MD5
cc86e92ac629039ca32265e42ba42a45

SHA1
4d198a85977a1e4269ad83f80844f679b9381e38

SHA256
0e6e58da902b0fa3d08c2551b0eb9c8f17b0a28ffe030e5d942d7f41fe7c7b9c

SHA512
9e0a8161ca7d3781902536646be8fd3f3ca64a9cfd6ed0a53df8d0106bbc7effb9fd760e97f9302491ed3e8416be5e91c1204b611ff6d7d4f6f4b385038f5f64

Download Submit
C:\Users\Admin\ZaoUYswQ\aEokokIk.inf

Filesize
4B

MD5
63f8341c935e0d5ed6c8db14ab0ebfdb

SHA1
257f1cee2b11523418d963f0570cca15ca53d5f7

SHA256
79b92f7f12fccc9f6357f09657b60bc932ccbd5bf1269436b32402d4813ee233

SHA512
4d9a918f4fd6342c4afd61207d30664eed08a184691da4ca68c8fe6a7631075791df2e3ae90047b43b8129b9150f41b145b15c0419339088ff77a236e4235d67

Download Submit
memory/116-502-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/220-282-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/636-133-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/636-153-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/708-164-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/732-202-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1124-382-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1200-281-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1200-292-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1248-362-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1248-374-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1424-412-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1424-422-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1544-177-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1700-503-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1700-513-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1880-494-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2116-539-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2192-548-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2192-541-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2920-484-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2924-403-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2924-394-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2948-255-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3052-449-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3320-521-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3380-201-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3380-214-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3484-320-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3592-228-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3836-468-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3836-458-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3904-333-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3948-572-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3948-145-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4280-423-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4280-431-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4448-306-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4448-294-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4452-391-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4452-383-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4496-231-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4496-240-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4516-268-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4556-476-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4584-441-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4744-522-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4744-532-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4784-571-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4784-139-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4832-334-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4832-347-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4836-457-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4844-190-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4844-179-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4860-350-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4860-359-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4964-399-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4964-411-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download