Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
02/10/2022, 19:37
General
-
Target
a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff.exe
-
Size
538KB
-
MD5
6da893762cb4c1488709caad02f043d0
-
SHA1
a3b3a698892554cb0fc7bbab31aef011264c0a0b
-
SHA256
a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff
-
SHA512
efe6e1f90b7a08d75d7d5ab38d53b303b0ca9680484868fbd4fe1ae75d417a0cc03f375b81ee89ac36d6f6162bb9292686675f55542a1ecead43139e548a9f79
-
SSDEEP
12288:fHCXV0qw3XMpQYj1XacctPWYyOqWCNUyvrL:PJAQYjFaLFWYyN5L
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
-
UAC bypass 3 TTPs 64 IoCs
-
Executes dropped EXE 3 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 7 IoCs
-
Checks whether UAC is enabled 1 TTPs 6 IoCs
-
Drops file in System32 directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 3 IoCs
-
Modifies registry key 1 TTPs 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff.exe"C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\dIAEowgU\PuMcgUYA.exe"C:\Users\Admin\dIAEowgU\PuMcgUYA.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
-
-
C:\ProgramData\gEcMgMgc\xcwAEwoo.exe"C:\ProgramData\gEcMgMgc\xcwAEwoo.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff.exeC:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff.exeC:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff.exeC:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff"8⤵
-
C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff.exeC:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff9⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff"10⤵
-
C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff.exeC:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff11⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff"12⤵
-
C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff.exeC:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff13⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff"14⤵
-
C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff.exeC:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff15⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff"16⤵
-
C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff.exeC:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff17⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff"18⤵
-
C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff.exeC:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff19⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff"20⤵
-
C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff.exeC:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff21⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff"22⤵
-
C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff.exeC:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff23⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff"24⤵
-
C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff.exeC:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff25⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff"26⤵
-
C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff.exeC:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff27⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff"28⤵
-
C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff.exeC:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff29⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff"30⤵
-
C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff.exeC:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff31⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff"32⤵
-
C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff.exeC:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff33⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff"34⤵
-
C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff.exeC:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff35⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff"36⤵
-
C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff.exeC:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff37⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff"38⤵
-
C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff.exeC:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff39⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff"40⤵
-
C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff.exeC:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff41⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff"42⤵
-
C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff.exeC:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff43⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff"44⤵
-
C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff.exeC:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff45⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff"46⤵
-
C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff.exeC:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff47⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff"48⤵
-
C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff.exeC:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff49⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yqsYYswY.bat" "C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff.exe""50⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs51⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f50⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 250⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 150⤵
- Modifies visibility of file extensions in Explorer
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff"50⤵
-
C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff.exeC:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff51⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff"52⤵
-
C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff.exeC:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff53⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff"54⤵
-
C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff.exeC:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff55⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff"56⤵
-
C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff.exeC:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff57⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff"58⤵
-
C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff.exeC:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff59⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff"60⤵
-
C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff.exeC:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff61⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff"62⤵
-
C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff.exeC:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff63⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff"64⤵
-
C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff.exeC:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff65⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff"66⤵
-
C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff.exeC:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff67⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff"68⤵
-
C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff.exeC:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff69⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff"70⤵
-
C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff.exeC:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff71⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff"72⤵
-
C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff.exeC:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff73⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff"74⤵
-
C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff.exeC:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff75⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff"76⤵
-
C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff.exeC:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff77⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff"78⤵
-
C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff.exeC:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff79⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff"80⤵
-
C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff.exeC:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff81⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff"82⤵
-
C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff.exeC:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff83⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff"84⤵
-
C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff.exeC:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff85⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff"86⤵
-
C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff.exeC:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff87⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff"88⤵
-
C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff.exeC:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff89⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff"90⤵
-
C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff.exeC:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff91⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff"92⤵
-
C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff.exeC:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff93⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff"94⤵
-
C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff.exeC:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff95⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff"96⤵
-
C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff.exeC:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff97⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff"98⤵
-
C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff.exeC:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff99⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff"100⤵
-
C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff.exeC:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff101⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff"102⤵
-
C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff.exeC:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff103⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff"104⤵
-
C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff.exeC:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff105⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff"106⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1107⤵
-
-
C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff.exeC:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff107⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff"108⤵
-
C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff.exeC:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff109⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff"110⤵
-
C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff.exeC:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff111⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff"112⤵
-
C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff.exeC:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff113⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
-
C:\Users\Admin\JuYQoEYo\ngEAAIsY.exe"C:\Users\Admin\JuYQoEYo\ngEAAIsY.exe"114⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 328115⤵
- Program crash
-
-
-
C:\ProgramData\umIkgMkk\YMYgUsAE.exe"C:\ProgramData\umIkgMkk\YMYgUsAE.exe"114⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 264115⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff"114⤵
-
C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff.exeC:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff115⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff"116⤵
-
C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff.exeC:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff117⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff"118⤵
-
C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff.exeC:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff119⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff"120⤵
-
C:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff.exeC:\Users\Admin\AppData\Local\Temp\a01358fe1f0c3c812cdc508cb1c8cd882b8049ce779122db6c058e07e95faeff121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-