Analysis
-
max time kernel
56s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
28/10/2022, 19:46
Static task
static1
Behavioral task
behavioral1
Sample
84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe
Resource
win10v2004-20220812-en
General
-
Target
84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe
-
Size
442KB
-
MD5
0988372291a3f344016cd7d518af62e0
-
SHA1
79aed9e559d5b9af8a6c9f9c4a8f2df12de23740
-
SHA256
84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a
-
SHA512
948b1ceb1307336d08ed000de59eedef56cb96185dd43034a21091746a71af7b52c59c12c9b84b32bc25a598bbdf590ffb750e4587cdffc650cf7583d1c9237b
-
SSDEEP
12288:H6O1Rx+IDM95PRoa5IcrBIZNzAZDsl+5mAuT/QTS4wN:HV1Rx+II/PRtmgBIZYmlxb
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 33 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cmd.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cscript.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cmd.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Executes dropped EXE 3 IoCs
pid Process 4328 ssscgMIc.exe 4996 kYsQsoAg.exe 4296 eYYIIUAQ.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ssscgMIc.exe = "C:\\Users\\Admin\\LQIMAoMU\\ssscgMIc.exe" 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ssscgMIc.exe = "C:\\Users\\Admin\\LQIMAoMU\\ssscgMIc.exe" ssscgMIc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kYsQsoAg.exe = "C:\\ProgramData\\WmEcUEwg\\kYsQsoAg.exe" 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kYsQsoAg.exe = "C:\\ProgramData\\WmEcUEwg\\kYsQsoAg.exe" kYsQsoAg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kYsQsoAg.exe = "C:\\ProgramData\\WmEcUEwg\\kYsQsoAg.exe" eYYIIUAQ.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Process not Found Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\LQIMAoMU eYYIIUAQ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\LQIMAoMU\ssscgMIc eYYIIUAQ.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 3 IoCs
pid pid_target Process procid_target 5092 4024 WerFault.exe 1696 980 2352 WerFault.exe 1697 4276 3436 WerFault.exe 1699 -
Modifies registry key 1 TTPs 64 IoCs
pid Process 3784 Process not Found 4988 reg.exe 2860 reg.exe 2020 reg.exe 5012 reg.exe 5000 reg.exe 4368 Process not Found 4488 Process not Found 2108 Process not Found 4652 reg.exe 2572 reg.exe 3980 reg.exe 424 reg.exe 1380 reg.exe 212 reg.exe 748 Process not Found 696 reg.exe 3464 reg.exe 448 reg.exe 1548 Process not Found 3736 Process not Found 3452 reg.exe 1816 reg.exe 4276 reg.exe 3172 reg.exe 384 Process not Found 1108 reg.exe 2752 reg.exe 4036 reg.exe 860 reg.exe 2312 Process not Found 800 Process not Found 320 Process not Found 2224 reg.exe 3288 reg.exe 2620 reg.exe 1892 reg.exe 4084 reg.exe 4468 reg.exe 2404 reg.exe 4188 Process not Found 1388 Process not Found 404 reg.exe 3100 reg.exe 2172 reg.exe 4320 reg.exe 3856 Process not Found 4984 reg.exe 4908 reg.exe 2184 reg.exe 3300 reg.exe 1116 Process not Found 4532 reg.exe 448 Process not Found 208 reg.exe 4496 reg.exe 4752 reg.exe 484 reg.exe 3228 reg.exe 2796 Process not Found 2504 Process not Found 4900 reg.exe 1080 reg.exe 4228 Process not Found -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4656 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe 4656 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe 4656 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe 4656 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe 5116 sihclient.exe 5116 sihclient.exe 5116 sihclient.exe 5116 sihclient.exe 1652 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe 1652 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe 1652 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe 1652 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe 4968 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe 4968 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe 4968 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe 4968 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe 1576 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe 1576 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe 1576 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe 1576 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe 2504 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe 2504 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe 2504 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe 2504 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe 2520 Conhost.exe 2520 Conhost.exe 2520 Conhost.exe 2520 Conhost.exe 4348 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe 4348 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe 4348 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe 4348 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe 212 Conhost.exe 212 Conhost.exe 212 Conhost.exe 212 Conhost.exe 3100 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe 3100 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe 3100 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe 3100 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe 1080 reg.exe 1080 reg.exe 1080 reg.exe 1080 reg.exe 2600 cscript.exe 2600 cscript.exe 2600 cscript.exe 2600 cscript.exe 644 Conhost.exe 644 Conhost.exe 644 Conhost.exe 644 Conhost.exe 4776 reg.exe 4776 reg.exe 4776 reg.exe 4776 reg.exe 444 cscript.exe 444 cscript.exe 444 cscript.exe 444 cscript.exe 1920 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe 1920 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe 1920 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe 1920 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4656 wrote to memory of 4328 4656 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe 48 PID 4656 wrote to memory of 4328 4656 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe 48 PID 4656 wrote to memory of 4328 4656 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe 48 PID 4656 wrote to memory of 4996 4656 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe 82 PID 4656 wrote to memory of 4996 4656 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe 82 PID 4656 wrote to memory of 4996 4656 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe 82 PID 4656 wrote to memory of 5112 4656 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe 84 PID 4656 wrote to memory of 5112 4656 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe 84 PID 4656 wrote to memory of 5112 4656 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe 84 PID 4656 wrote to memory of 3656 4656 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe 239 PID 4656 wrote to memory of 3656 4656 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe 239 PID 4656 wrote to memory of 3656 4656 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe 239 PID 4656 wrote to memory of 4620 4656 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe 88 PID 4656 wrote to memory of 4620 4656 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe 88 PID 4656 wrote to memory of 4620 4656 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe 88 PID 4656 wrote to memory of 1468 4656 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe 92 PID 4656 wrote to memory of 1468 4656 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe 92 PID 4656 wrote to memory of 1468 4656 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe 92 PID 5112 wrote to memory of 5116 5112 cmd.exe 131 PID 5112 wrote to memory of 5116 5112 cmd.exe 131 PID 5112 wrote to memory of 5116 5112 cmd.exe 131 PID 5116 wrote to memory of 748 5116 sihclient.exe 387 PID 5116 wrote to memory of 748 5116 sihclient.exe 387 PID 5116 wrote to memory of 748 5116 sihclient.exe 387 PID 748 wrote to memory of 1652 748 cmd.exe 386 PID 748 wrote to memory of 1652 748 cmd.exe 386 PID 748 wrote to memory of 1652 748 cmd.exe 386 PID 5116 wrote to memory of 4092 5116 sihclient.exe 151 PID 5116 wrote to memory of 4092 5116 sihclient.exe 151 PID 5116 wrote to memory of 4092 5116 sihclient.exe 151 PID 5116 wrote to memory of 668 5116 sihclient.exe 385 PID 5116 wrote to memory of 668 5116 sihclient.exe 385 PID 5116 wrote to memory of 668 5116 sihclient.exe 385 PID 5116 wrote to memory of 3332 5116 sihclient.exe 383 PID 5116 wrote to memory of 3332 5116 sihclient.exe 383 PID 5116 wrote to memory of 3332 5116 sihclient.exe 383 PID 5116 wrote to memory of 3892 5116 sihclient.exe 97 PID 5116 wrote to memory of 3892 5116 sihclient.exe 97 PID 5116 wrote to memory of 3892 5116 sihclient.exe 97 PID 1652 wrote to memory of 4588 1652 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe 98 PID 1652 wrote to memory of 4588 1652 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe 98 PID 1652 wrote to memory of 4588 1652 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe 98 PID 1652 wrote to memory of 3452 1652 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe 108 PID 1652 wrote to memory of 3452 1652 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe 108 PID 1652 wrote to memory of 3452 1652 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe 108 PID 1652 wrote to memory of 4932 1652 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe 107 PID 1652 wrote to memory of 4932 1652 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe 107 PID 1652 wrote to memory of 4932 1652 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe 107 PID 1652 wrote to memory of 4592 1652 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe 104 PID 1652 wrote to memory of 4592 1652 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe 104 PID 1652 wrote to memory of 4592 1652 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe 104 PID 1652 wrote to memory of 2796 1652 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe 102 PID 1652 wrote to memory of 2796 1652 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe 102 PID 1652 wrote to memory of 2796 1652 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe 102 PID 4588 wrote to memory of 4968 4588 cmd.exe 105 PID 4588 wrote to memory of 4968 4588 cmd.exe 105 PID 4588 wrote to memory of 4968 4588 cmd.exe 105 PID 4968 wrote to memory of 1224 4968 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe 381 PID 4968 wrote to memory of 1224 4968 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe 381 PID 4968 wrote to memory of 1224 4968 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe 381 PID 1224 wrote to memory of 1576 1224 cmd.exe 380 PID 1224 wrote to memory of 1576 1224 cmd.exe 380 PID 1224 wrote to memory of 1576 1224 cmd.exe 380 PID 4968 wrote to memory of 3756 4968 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe 379 -
System policy modification 1 TTPs 16 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found
Processes
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe"C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Users\Admin\LQIMAoMU\ssscgMIc.exe"C:\Users\Admin\LQIMAoMU\ssscgMIc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4328
-
-
C:\ProgramData\WmEcUEwg\kYsQsoAg.exe"C:\ProgramData\WmEcUEwg\kYsQsoAg.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4996
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"2⤵
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a3⤵PID:5116
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 14⤵PID:4092
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wyYMgoAs.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""4⤵PID:3892
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs5⤵PID:2184
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵PID:3656
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:4620
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- UAC bypass
PID:1468
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hUwowook.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""2⤵PID:4148
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵PID:3896
-
-
-
C:\ProgramData\gyIocgUE\eYYIIUAQ.exeC:\ProgramData\gyIocgUE\eYYIIUAQ.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:4296
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"1⤵
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵
- UAC bypass
PID:1700
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZAwoMYQY.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""3⤵PID:2236
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs4⤵PID:2272
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵PID:3528
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵
- Modifies visibility of file extensions in Explorer
PID:3756
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"3⤵
- Suspicious use of WriteProcessMemory
PID:1224
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YsEMUIMg.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""1⤵PID:2796
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs2⤵PID:2968
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵
- UAC bypass
PID:4592
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵PID:4932
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3452
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yekUsMkM.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""1⤵PID:1692
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs2⤵PID:3036
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:3156
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4348 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"2⤵PID:1232
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a3⤵PID:212
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 14⤵PID:4360
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DaYUIUsw.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""4⤵PID:1056
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f4⤵PID:3468
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 24⤵PID:2508
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"4⤵PID:3868
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:216
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sGgEkwgY.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""2⤵PID:2364
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵PID:4908
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- Modifies registry key
PID:208 -
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a3⤵PID:1592
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"4⤵PID:4428
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a5⤵PID:2088
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"6⤵PID:2524
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WmYQEAEM.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""6⤵PID:2952
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs7⤵PID:2492
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f6⤵PID:3084
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 26⤵PID:2144
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 16⤵PID:2620
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 14⤵PID:4060
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XSowMUEc.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""4⤵PID:4164
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs5⤵PID:4324
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f4⤵PID:736
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 24⤵PID:3968
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵PID:628
-
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv LmXWYKuqH0me1fOEMIHN2w.0.21⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- UAC bypass
PID:3332 -
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a3⤵PID:1468
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"4⤵PID:2752
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a5⤵PID:1156
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"6⤵PID:4892
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a7⤵PID:832
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"8⤵PID:1488
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a9⤵PID:4984
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"10⤵
- Modifies visibility of file extensions in Explorer
PID:3708 -
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a11⤵PID:4168
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"12⤵PID:4504
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a13⤵PID:4736
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"14⤵PID:3848
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a15⤵PID:4228
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"16⤵PID:4316
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a17⤵PID:4732
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"18⤵PID:1472
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a19⤵PID:2172
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"20⤵PID:2524
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a21⤵PID:3060
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"22⤵PID:432
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a23⤵PID:3172
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"24⤵PID:860
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a25⤵PID:4612
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"26⤵PID:2264
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a27⤵PID:2760
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"28⤵PID:4092
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a29⤵PID:4320
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"30⤵PID:668
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a31⤵PID:4692
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"32⤵PID:2564
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a33⤵PID:1256
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"34⤵PID:3916
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a35⤵PID:3404
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"36⤵PID:2504
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a37⤵PID:3060
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"38⤵PID:3464
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a39⤵PID:4372
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"40⤵PID:3308
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a41⤵PID:4612
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"42⤵PID:2792
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV143⤵
- Modifies visibility of file extensions in Explorer
PID:5036
-
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a43⤵PID:2216
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"44⤵PID:3432
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a45⤵PID:4736
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"46⤵PID:4116
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a47⤵PID:3588
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"48⤵PID:4044
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a49⤵PID:1256
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"50⤵PID:3468
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a51⤵PID:2532
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"52⤵PID:5012
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a53⤵PID:2916
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"54⤵PID:3584
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a55⤵PID:3964
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"56⤵PID:1552
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a57⤵PID:3952
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"58⤵PID:4628
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a59⤵PID:4228
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"60⤵PID:1920
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a61⤵PID:3848
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"62⤵PID:2360
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a63⤵PID:1592
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"64⤵PID:2212
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a65⤵PID:208
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"66⤵PID:2144
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a67⤵PID:4468
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"68⤵PID:2204
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a69⤵PID:384
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"70⤵PID:4888
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a71⤵PID:1756
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"72⤵PID:1632
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a73⤵PID:1496
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"74⤵PID:4232
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a75⤵PID:1908
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"76⤵PID:3508
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a77⤵PID:1440
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"78⤵PID:2208
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a79⤵PID:1780
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"80⤵PID:884
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a81⤵PID:4924
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"82⤵PID:5108
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a83⤵PID:4240
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"84⤵PID:4084
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a85⤵PID:3584
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"86⤵PID:2280
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV187⤵PID:3336
-
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a87⤵PID:4288
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"88⤵PID:628
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a89⤵PID:564
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"90⤵PID:4256
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV191⤵PID:1816
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wgUYYgsQ.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""90⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:2244
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f90⤵PID:3260
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 290⤵PID:3588
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 190⤵PID:1352
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KWEUIwMA.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""88⤵PID:1496
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs89⤵PID:1956
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f88⤵PID:3136
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 288⤵PID:3096
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 188⤵PID:4728
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV189⤵PID:5108
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PIwAgskM.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""86⤵PID:4756
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs87⤵PID:3704
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f86⤵PID:2964
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 286⤵PID:1548
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 186⤵PID:1608
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zikYMoQU.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""84⤵PID:3752
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs85⤵PID:2780
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f84⤵PID:1656
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 284⤵PID:4136
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 184⤵PID:3060
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TmsgQMYg.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""82⤵PID:1904
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs83⤵PID:3340
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f82⤵PID:3288
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 282⤵PID:4468
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 182⤵
- Modifies registry key
PID:2172
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jyowQQQg.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""80⤵PID:4100
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs81⤵PID:3356
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f80⤵
- UAC bypass
PID:3468
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 280⤵PID:1876
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 180⤵PID:4112
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OkEkMYQs.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""78⤵PID:3540
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs79⤵PID:4392
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f78⤵PID:1572
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 278⤵PID:4588
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 178⤵PID:4244
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HGkUsQQo.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""76⤵PID:4716
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs77⤵PID:4192
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f76⤵PID:1692
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 276⤵PID:3896
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 176⤵PID:3732
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bwwQUgkI.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""74⤵PID:5068
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs75⤵PID:1136
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f74⤵PID:1380
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 274⤵
- Suspicious behavior: EnumeratesProcesses
PID:4776
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 174⤵PID:1392
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 272⤵PID:4752
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 172⤵PID:4612
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sGIYAAgk.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""72⤵PID:3948
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs73⤵PID:2632
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f72⤵PID:1032
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pYIkAMcI.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""70⤵PID:4892
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs71⤵PID:2280
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f70⤵PID:3964
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 270⤵PID:4372
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 170⤵PID:3856
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uAkYIMIQ.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""68⤵PID:2328
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs69⤵PID:4956
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f68⤵
- Modifies registry key
PID:5012
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 268⤵
- UAC bypass
PID:1488
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 168⤵PID:860
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wKUsUUoE.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""66⤵PID:2512
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs67⤵PID:4952
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f66⤵PID:3356
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 266⤵PID:4940
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 166⤵
- UAC bypass
PID:516
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hKsgAMwA.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""64⤵PID:428
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs65⤵PID:3084
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f64⤵PID:1264
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 264⤵PID:3548
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 164⤵PID:4732
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MOcMgocQ.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""62⤵PID:2404
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs63⤵PID:1180
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f62⤵
- Modifies registry key
PID:3980
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 262⤵PID:1376
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 162⤵PID:4692
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PqgMgEUA.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""60⤵PID:1176
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs61⤵PID:4808
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f60⤵
- Modifies registry key
PID:3100
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 260⤵PID:3196
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 160⤵PID:4216
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YQcgEoAs.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""58⤵PID:4656
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs59⤵PID:5096
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f58⤵
- Modifies registry key
PID:4036
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 258⤵PID:2216
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 158⤵PID:3704
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AKUEAAwI.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""56⤵PID:1956
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs57⤵PID:2116
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f56⤵PID:1700
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV157⤵PID:4908
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 256⤵PID:3076
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 156⤵
- Modifies registry key
PID:4276
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aukEgAIw.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""54⤵PID:1056
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs55⤵PID:2396
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f54⤵
- Modifies registry key
PID:3464
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 254⤵PID:3172
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 154⤵PID:4948
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TMkcMssk.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""52⤵PID:2992
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs53⤵PID:3972
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f52⤵PID:224
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 252⤵PID:2700
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 152⤵PID:2016
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vOEMkAsw.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""50⤵PID:2968
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs51⤵
- UAC bypass
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:444
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f50⤵PID:1356
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 250⤵PID:2072
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 150⤵PID:1584
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JUEwEYcI.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""48⤵PID:3156
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs49⤵PID:4596
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f48⤵PID:2568
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 248⤵PID:3896
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV149⤵
- Modifies visibility of file extensions in Explorer
PID:4344
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 148⤵PID:644
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\piUUgsUw.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""46⤵PID:1232
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs47⤵PID:4652
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f46⤵PID:3592
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 246⤵
- Modifies registry key
PID:2572
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 146⤵PID:3868
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DQkQYcYk.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""44⤵PID:1692
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs45⤵PID:320
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f44⤵PID:4288
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 244⤵
- Modifies registry key
PID:4752
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 144⤵PID:4304
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 242⤵PID:2272
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cuMYYQog.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""42⤵PID:2044
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs43⤵
- Suspicious behavior: EnumeratesProcesses
PID:2600
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f42⤵PID:2380
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 142⤵PID:2200
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VAIsoAUw.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""40⤵PID:3516
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs41⤵PID:4512
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV142⤵
- Modifies visibility of file extensions in Explorer
PID:1052
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f40⤵PID:1304
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 240⤵PID:4496
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 140⤵PID:5008
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uOkEQQAg.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""38⤵PID:3584
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs39⤵PID:3092
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f38⤵PID:3512
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 238⤵PID:516
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 138⤵PID:2960
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 236⤵PID:4924
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f36⤵PID:4428
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WcAksggo.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""36⤵PID:2328
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs37⤵PID:1836
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 136⤵PID:4992
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CMcYgYgU.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""34⤵PID:1180
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs35⤵PID:4536
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f34⤵PID:716
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 234⤵
- Modifies registry key
PID:1816
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 134⤵PID:5084
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HMQYYMYQ.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""32⤵PID:3384
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs33⤵PID:4808
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f32⤵PID:4488
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 232⤵PID:2152
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 132⤵PID:824
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZIYYkcUc.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""30⤵PID:1564
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs31⤵PID:3276
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f30⤵PID:1944
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 230⤵PID:4664
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 130⤵PID:4228
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kUgkocYg.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""28⤵PID:1656
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs29⤵PID:2600
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f28⤵PID:3952
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 228⤵PID:2260
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 128⤵PID:2576
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 226⤵PID:3516
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KWocUocg.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""26⤵PID:4796
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f26⤵PID:2020
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 126⤵PID:4168
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TSIYUQws.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""24⤵PID:3528
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs25⤵PID:2164
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f24⤵PID:3728
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 224⤵PID:1648
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 124⤵PID:2992
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NmwMoQMI.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""22⤵PID:3672
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs23⤵PID:5012
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f22⤵
- Modifies registry key
PID:4468
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 222⤵PID:5092
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 122⤵PID:1624
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 120⤵
- Modifies registry key
PID:2620
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OCYAAYog.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""20⤵PID:2504
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs21⤵PID:4536
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f20⤵PID:1864
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 220⤵PID:2428
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV120⤵PID:2144
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RwYgMkIA.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""18⤵PID:4148
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs19⤵PID:1036
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f18⤵PID:4928
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 218⤵PID:1184
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 118⤵PID:3384
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 216⤵PID:1564
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vgEgcQQE.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""16⤵PID:3784
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs17⤵PID:212
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f16⤵PID:4060
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 116⤵PID:5068
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hKsUYMIQ.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""14⤵PID:2256
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs15⤵PID:1880
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f14⤵PID:3976
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 214⤵PID:4256
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 114⤵PID:1828
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BMgokMws.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""12⤵PID:748
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs13⤵PID:4744
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f12⤵PID:4084
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 212⤵PID:3880
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 112⤵PID:384
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV112⤵PID:4528
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yocYowAM.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""10⤵PID:1904
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs11⤵PID:5108
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f10⤵PID:1700
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 210⤵PID:4940
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV111⤵PID:2188
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 110⤵PID:3712
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 18⤵PID:4204
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV19⤵
- UAC bypass
PID:1952
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HIQUcMoQ.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""8⤵PID:4392
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs9⤵PID:4720
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f8⤵
- Suspicious behavior: EnumeratesProcesses
PID:1080
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 28⤵
- Modifies registry key
PID:3288
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ySAIAYsI.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""6⤵PID:4340
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs7⤵PID:2404
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f6⤵PID:3060
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 26⤵PID:424
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 16⤵PID:4808
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f4⤵PID:4664
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YwYoMQMk.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""4⤵PID:5000
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs5⤵PID:2152
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:2492
-
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:2764
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 24⤵PID:3196
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:5044
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 14⤵PID:2244
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:3656
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:668
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"2⤵
- Suspicious use of WriteProcessMemory
PID:748
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:1560
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3100 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gOYYgMIg.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""2⤵PID:524
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:4488
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:1072
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵PID:5076
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"2⤵PID:4084
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
- Modifies visibility of file extensions in Explorer
PID:4496
-
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:4712
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"1⤵PID:3308
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a2⤵PID:2600
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DyEUccoQ.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""3⤵PID:5044
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs4⤵PID:2396
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵PID:828
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵PID:4540
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵PID:2928
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"3⤵PID:2376
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a4⤵PID:644
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"5⤵PID:4204
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a6⤵PID:4776
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sYIwcYAo.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""5⤵PID:1156
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs6⤵PID:4240
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f5⤵
- Modifies registry key
PID:4988
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 25⤵PID:2116
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 15⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:696
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵PID:5036
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵PID:1400
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tWIcUwkI.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""1⤵PID:1608
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs2⤵PID:3688
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Modifies visibility of file extensions in Explorer
PID:4092 -
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs2⤵PID:4952
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵PID:2188
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:1572
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
- Modifies visibility of file extensions in Explorer
PID:1232
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵PID:1232
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PuMIsEQY.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""1⤵PID:3540
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs2⤵PID:4340
-
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a1⤵PID:444
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵PID:4356
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a1⤵PID:1920
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZiIMwsww.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""2⤵PID:1148
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- Modifies registry key
PID:4984
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:448
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵PID:1052
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"2⤵PID:1656
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:4452
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:2960
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:2368
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a1⤵PID:2396
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SIEIogAg.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""2⤵PID:2168
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:4484
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:3144
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:320
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵PID:4756
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵PID:2020
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"2⤵PID:3148
-
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a1⤵PID:2040
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gEAswYcE.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""2⤵PID:2532
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵PID:2860
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:1584
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:4436
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a3⤵PID:4924
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"4⤵PID:2968
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a5⤵PID:4528
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"6⤵PID:2764
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a7⤵PID:2916
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 18⤵PID:3708
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"8⤵PID:1140
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a9⤵PID:516
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"10⤵PID:4736
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a11⤵PID:320
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"12⤵PID:4048
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fewUYksg.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""12⤵PID:3688
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs13⤵PID:2568
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f12⤵PID:1184
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 212⤵PID:628
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 112⤵PID:968
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RyMMQQIo.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""10⤵PID:4756
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f10⤵PID:4464
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 210⤵PID:3432
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 110⤵PID:2964
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 28⤵PID:224
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f8⤵PID:112
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lEoAgcMI.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""8⤵PID:564
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs9⤵PID:384
-
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
- Modifies visibility of file extensions in Explorer
PID:5076
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZMkkMYAI.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""6⤵PID:3420
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f6⤵PID:4628
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 26⤵PID:2492
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 16⤵PID:4820
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 14⤵
- Modifies registry key
PID:2224 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:3576
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iMEIQUwg.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""4⤵PID:2144
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f4⤵PID:3468
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 24⤵PID:2632
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵PID:4752
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"2⤵PID:5096
-
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a1⤵PID:4488
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"2⤵PID:3548
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a3⤵PID:2988
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\scEYcUUI.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""4⤵PID:240
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f4⤵PID:5004
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 24⤵
- Modifies registry key
PID:4652
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 14⤵PID:2812
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"4⤵PID:3972
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a5⤵PID:4020
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IUYYMwEo.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""6⤵PID:240
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs7⤵PID:3692
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f6⤵PID:4104
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 26⤵PID:2204
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 16⤵PID:3512
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"6⤵PID:4320
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qMgIgYAs.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""2⤵PID:432
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:444
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ioEMowEM.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""3⤵PID:5100
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵PID:1488
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵
- Modifies registry key
PID:4908
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵PID:4344
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"3⤵PID:5108
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:4812
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵PID:1876
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:3540
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵PID:2200
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"1⤵PID:4816
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a2⤵PID:1428
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"1⤵PID:1376
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a2⤵PID:628
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3688
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:3896
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵PID:2576
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CeAEokEc.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""1⤵PID:176
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs2⤵PID:1584
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵PID:1564
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵PID:852
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"1⤵PID:1624
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a2⤵PID:5044
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"3⤵PID:4436
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gSAsMUck.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""3⤵PID:1156
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵PID:2376
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵
- Modifies registry key
PID:4532
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵
- Modifies registry key
PID:2752
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hkIQEkgs.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""1⤵PID:2636
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵PID:2244
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵PID:2132
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵
- Modifies registry key
PID:404
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:2504
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- UAC bypass
PID:4044
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:4052
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies visibility of file extensions in Explorer
PID:3980
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"2⤵PID:1892
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KogUgAQY.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""1⤵PID:5080
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵
- UAC bypass
PID:4696
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵PID:2368
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵PID:4780
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:2516
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lCQkQYUY.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""1⤵PID:4848
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵
- UAC bypass
- Modifies registry key
PID:1108
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵
- Modifies visibility of file extensions in Explorer
PID:3656
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a1⤵PID:4740
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"1⤵PID:1112
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a1⤵PID:2492
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:3576
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:3156
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:4776
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:4420
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"2⤵PID:832
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:5016
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- UAC bypass
PID:828
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SOEAMwIw.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""1⤵PID:3208
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵PID:516
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵PID:4300
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵PID:3908
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"1⤵PID:4048
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a2⤵PID:2268
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵PID:1884
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"3⤵PID:208
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nCYEgYUs.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""3⤵PID:3544
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs4⤵PID:3356
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵PID:3276
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵PID:1816
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JmkUQEok.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""1⤵PID:4884
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵PID:3172
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵PID:1904
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵PID:2516
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a1⤵PID:3336
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"1⤵PID:1124
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a1⤵PID:5072
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a1⤵PID:1080
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:4020
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bgQsAcUM.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""1⤵PID:2916
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵
- UAC bypass
PID:3008
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵PID:4924
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵PID:4740
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"1⤵PID:4116
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a1⤵PID:2520
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lAQcQsoc.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""1⤵PID:4504
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵PID:1952
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Modifies visibility of file extensions in Explorer
PID:852
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵PID:3712
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵
- Modifies registry key
PID:4496
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2504
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"1⤵PID:3184
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1576
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1652
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:5108
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:4204
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Suspicious behavior: EnumeratesProcesses
PID:212
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a1⤵PID:5108
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"2⤵PID:3964
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a3⤵PID:3448
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"4⤵PID:3928
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a5⤵PID:4728
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"6⤵PID:964
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a7⤵PID:1880
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"8⤵PID:3384
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a9⤵PID:3380
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"10⤵PID:4588
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a11⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:4488 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"12⤵PID:4924
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a13⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:208 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"14⤵PID:4528
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a15⤵PID:4536
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"16⤵PID:2480
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a17⤵PID:3076
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 118⤵PID:2272
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TsswAIEk.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""18⤵PID:4848
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f18⤵PID:384
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 218⤵PID:1656
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"18⤵PID:4316
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV119⤵PID:1232
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a17⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:112 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"18⤵PID:4288
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a19⤵PID:4188
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"20⤵PID:5016
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV121⤵
- Modifies visibility of file extensions in Explorer
PID:4756
-
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a21⤵PID:1552
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"22⤵PID:4364
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a23⤵PID:3588
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"24⤵PID:2408
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a25⤵PID:736
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"26⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:1584 -
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a27⤵PID:2236
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"28⤵PID:3184
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a29⤵PID:5100
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"30⤵PID:3308
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a31⤵PID:2020
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"32⤵PID:1224
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a33⤵PID:2256
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"34⤵PID:4488
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a35⤵PID:3096
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"36⤵PID:4784
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 136⤵PID:524
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV137⤵PID:1428
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vmgAIEAc.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""36⤵PID:2852
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs37⤵PID:4744
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f36⤵PID:716
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 236⤵PID:3300
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ceYsUwMw.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""34⤵PID:3168
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs35⤵PID:224
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f34⤵PID:3756
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 234⤵PID:4320
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 134⤵PID:3452
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\smMYIsoU.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""32⤵PID:1304
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs33⤵PID:3896
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f32⤵
- Modifies visibility of file extensions in Explorer
PID:4780
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 232⤵PID:2168
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 132⤵PID:3448
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZMQcMcYA.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""30⤵PID:4088
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs31⤵PID:4420
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f30⤵PID:3584
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 230⤵PID:4104
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 130⤵PID:2204
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CaYEAkgo.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""28⤵PID:4688
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs29⤵PID:4412
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f28⤵PID:4708
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 228⤵
- Modifies registry key
PID:212
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 128⤵
- Modifies visibility of file extensions in Explorer
PID:1884
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\foMEMYAA.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""26⤵PID:2992
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV127⤵
- UAC bypass
PID:5004
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs27⤵PID:3980
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f26⤵PID:4348
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 226⤵PID:4192
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 126⤵PID:4220
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\umUwcIAg.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""24⤵PID:224
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs25⤵PID:2648
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f24⤵PID:1416
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 224⤵
- Modifies visibility of file extensions in Explorer
PID:1876
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 124⤵PID:1424
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YcQcMwok.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""22⤵PID:3736
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs23⤵PID:432
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f22⤵
- Modifies registry key
PID:3300
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 222⤵PID:3488
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 122⤵PID:2564
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\baAgEQYE.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""20⤵PID:4532
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs21⤵PID:4652
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f20⤵PID:3852
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 220⤵
- Modifies registry key
PID:1380
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 120⤵
- UAC bypass
PID:2376
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HwMEAYcg.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""18⤵PID:3704
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs19⤵PID:3948
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f18⤵PID:1672
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 218⤵
- Modifies registry key
PID:860
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 118⤵PID:1840
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pKMsgooQ.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""16⤵PID:4372
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs17⤵PID:3908
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f16⤵PID:3440
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 216⤵PID:2916
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 116⤵PID:716
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tsQIQQQY.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""14⤵PID:4864
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs15⤵PID:5104
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f14⤵PID:3228
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 214⤵PID:1876
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 114⤵PID:1440
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FwMogEIA.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""12⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:1400 -
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs13⤵PID:2572
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f12⤵PID:3060
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 212⤵PID:1356
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 112⤵PID:4356
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QOQQAoIk.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""10⤵PID:3600
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs11⤵PID:1136
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f10⤵PID:2860
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 210⤵
- Modifies registry key
PID:1892
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 110⤵PID:1048
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EWkYEQIE.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""8⤵PID:4592
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs9⤵PID:3136
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f8⤵PID:2280
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 28⤵PID:1956
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 18⤵PID:4116
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sQgYYEYw.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""6⤵PID:4596
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f6⤵PID:1224
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 26⤵PID:2244
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 16⤵PID:4148
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HwYwUIQQ.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""4⤵PID:3924
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f4⤵PID:2368
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:1608
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 24⤵PID:1304
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 14⤵PID:1392
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
- UAC bypass
PID:4628
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZWYMwIck.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""2⤵PID:64
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵PID:2792
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:716
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:3036
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵PID:3340
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:4504
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Suspicious behavior: EnumeratesProcesses
PID:2520
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:4732
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:2900
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- UAC bypass
PID:3468
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a1⤵PID:4888
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"2⤵PID:3896
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a3⤵PID:4540
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"4⤵PID:4884
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a5⤵PID:4752
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"6⤵PID:4652
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a7⤵PID:428
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"8⤵PID:4820
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a9⤵PID:1340
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rYMYgwws.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""10⤵PID:4092
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f10⤵PID:736
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 210⤵PID:4112
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 110⤵PID:1180
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"10⤵PID:3972
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ewgkwkEA.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""8⤵PID:4392
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f8⤵PID:3600
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 28⤵PID:1560
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 18⤵PID:3672
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oGUsAcoQ.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""6⤵PID:424
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f6⤵PID:3940
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 26⤵
- Modifies registry key
PID:2860
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 16⤵PID:1592
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f4⤵PID:1016
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YKcwkwYs.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""4⤵PID:4892
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs5⤵
- Modifies visibility of file extensions in Explorer
PID:4360
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 24⤵PID:2172
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 14⤵PID:1376
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zigIwUsY.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""2⤵PID:2600
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵PID:5080
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:4756
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:1040
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3548
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies registry key
PID:4900
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:1672
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Modifies visibility of file extensions in Explorer
PID:628
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:4356
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:2532
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a1⤵PID:4688
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"2⤵PID:3028
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yEgsgEko.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""2⤵PID:404
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵PID:4228
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:1140
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
- Modifies registry key
PID:2020
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies registry key
PID:4084
-
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a1⤵
- Modifies visibility of file extensions in Explorer
PID:4740 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MKwockEI.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""2⤵PID:2028
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵PID:3204
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:2368
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:4316
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵PID:2200
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"2⤵PID:3332
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:240
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:4452
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Suspicious behavior: EnumeratesProcesses
PID:644
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:3148
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:4740
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a1⤵PID:1892
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"2⤵PID:4356
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a3⤵PID:2408
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"4⤵PID:4484
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a5⤵PID:2236
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"6⤵PID:2988
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a7⤵PID:4324
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"8⤵PID:1084
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV19⤵PID:2396
-
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a9⤵PID:1904
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"10⤵PID:3692
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a11⤵PID:3068
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"12⤵PID:2792
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a13⤵PID:5036
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"14⤵PID:4268
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV115⤵PID:2040
-
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a15⤵PID:5080
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"16⤵PID:1428
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a17⤵PID:2356
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"18⤵PID:1556
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a19⤵PID:4980
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"20⤵PID:980
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a21⤵PID:3312
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"22⤵PID:3892
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a23⤵PID:5092
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"24⤵PID:3964
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a25⤵PID:4908
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"26⤵PID:4888
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV127⤵
- Modifies visibility of file extensions in Explorer
PID:4752
-
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a27⤵PID:1392
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"28⤵PID:1732
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a29⤵PID:2620
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"30⤵PID:3732
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a31⤵PID:3736
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"32⤵PID:4204
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a33⤵PID:1652
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"34⤵PID:1952
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a35⤵PID:884
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"36⤵PID:2284
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a37⤵PID:4608
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"38⤵PID:4504
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a39⤵PID:3204
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"40⤵PID:2860
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a41⤵PID:3692
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"42⤵PID:3756
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a43⤵PID:8
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"44⤵PID:2900
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a45⤵PID:2080
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"46⤵PID:1496
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a47⤵PID:3972
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"48⤵PID:1312
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a49⤵
- Suspicious behavior: EnumeratesProcesses
PID:1920 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"50⤵PID:5008
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a51⤵PID:5100
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"52⤵PID:2988
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a53⤵PID:3256
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"54⤵PID:2480
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kisIUgkI.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""54⤵PID:1404
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs55⤵PID:4420
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f54⤵PID:4728
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 254⤵PID:1700
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 154⤵
- Modifies visibility of file extensions in Explorer
PID:3908
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 152⤵
- UAC bypass
- Modifies registry key
PID:3172
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OgoIcUgM.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""52⤵PID:2628
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs53⤵PID:3500
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f52⤵
- UAC bypass
PID:4484
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 252⤵PID:2284
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IIAUgQwY.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""50⤵
- Modifies visibility of file extensions in Explorer
PID:2516 -
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs51⤵PID:3780
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f50⤵PID:3164
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 250⤵
- Modifies registry key
PID:3228
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 150⤵
- Modifies registry key
PID:5000
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IyQYscks.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""48⤵PID:3420
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs49⤵PID:428
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f48⤵PID:2532
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 248⤵PID:2876
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 148⤵PID:3688
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 246⤵PID:1892
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 146⤵PID:1624
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f46⤵PID:4864
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bYEgEAMA.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""46⤵PID:4112
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs47⤵PID:432
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f44⤵PID:2620
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JAAYsUoM.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""44⤵PID:4216
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs45⤵PID:4400
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 244⤵PID:4116
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 144⤵PID:4620
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GMksooww.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""42⤵PID:5036
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs43⤵PID:5072
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f42⤵PID:1392
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 242⤵PID:3520
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 142⤵PID:800
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 140⤵PID:3584
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\myQoUIUk.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""40⤵PID:2600
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs41⤵PID:1148
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f40⤵PID:4736
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 240⤵PID:2204
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JGgIsUkQ.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""38⤵PID:3492
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs39⤵PID:3500
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f38⤵PID:5092
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 238⤵PID:216
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 138⤵PID:3528
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wSwAkIEg.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""36⤵PID:3356
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs37⤵PID:3780
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f36⤵PID:4012
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 236⤵PID:4960
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 136⤵PID:3728
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hasgogYU.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""34⤵PID:4308
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV135⤵PID:1124
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs35⤵PID:4496
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f34⤵PID:4980
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 234⤵
- Modifies registry key
PID:2404
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 134⤵PID:5084
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f32⤵
- UAC bypass
PID:4988
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 232⤵PID:4716
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV133⤵PID:2268
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ReUEUsAM.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""32⤵PID:2176
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs33⤵PID:4940
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 132⤵
- Modifies registry key
PID:1080
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qksckgYg.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""30⤵PID:4256
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs31⤵PID:4360
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f30⤵
- UAC bypass
PID:1184
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 230⤵PID:1440
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 130⤵PID:4720
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\loEIcEEA.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""28⤵PID:4040
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs29⤵PID:2632
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f28⤵PID:4224
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 228⤵PID:3868
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 128⤵PID:4488
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YeYUckcE.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""26⤵PID:3544
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs27⤵PID:1628
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f26⤵PID:1468
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 226⤵PID:3068
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 126⤵PID:3924
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DGMYwEQg.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""24⤵PID:1056
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs25⤵PID:4612
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f24⤵
- Modifies visibility of file extensions in Explorer
PID:2200
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 224⤵
- Modifies visibility of file extensions in Explorer
PID:2812
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 124⤵PID:3144
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 222⤵PID:1004
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VEoIcsMw.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""22⤵PID:4104
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV123⤵PID:1656
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs23⤵PID:4504
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV123⤵PID:4848
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f22⤵
- Modifies registry key
PID:484
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 122⤵PID:2224
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YCosUowo.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""20⤵PID:2776
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs21⤵PID:2284
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f20⤵
- Modifies registry key
PID:2184
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 220⤵PID:2236
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 120⤵PID:2876
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nsAoEgkg.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""18⤵PID:2764
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs19⤵PID:3972
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f18⤵PID:4112
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 218⤵PID:2408
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 118⤵
- Modifies visibility of file extensions in Explorer
PID:4820
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mGEwEIgY.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""16⤵PID:4376
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs17⤵PID:4640
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f16⤵PID:1040
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 216⤵
- Modifies registry key
PID:448
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 116⤵PID:4400
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vUMgAkoM.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""14⤵PID:564
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs15⤵PID:5072
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f14⤵PID:780
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 214⤵PID:4092
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 114⤵PID:5016
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f12⤵PID:4288
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GQgcAkIY.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""12⤵PID:1380
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs13⤵PID:2392
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV113⤵
- UAC bypass
PID:4984
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 212⤵PID:2216
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 112⤵PID:3196
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NOEUYYwg.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""10⤵PID:3568
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs11⤵PID:1792
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f10⤵PID:3408
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 210⤵PID:3308
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 110⤵PID:216
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vsQEcscY.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""8⤵PID:3404
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs9⤵PID:2272
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f8⤵PID:4816
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 28⤵PID:1744
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 18⤵PID:4512
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 16⤵PID:2088
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dsUUYMUw.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""6⤵PID:1072
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs7⤵PID:3288
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f6⤵PID:4044
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 26⤵PID:4744
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bQMgUQgM.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""4⤵PID:2352
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs5⤵PID:224
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
PID:424
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 24⤵PID:4264
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 14⤵PID:524
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
- Modifies visibility of file extensions in Explorer
PID:2928
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EIgYgIoY.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""2⤵PID:4308
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵PID:824
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- Modifies registry key
PID:4320 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2368
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:3452
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2132
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵PID:2360
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:716
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:1592
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:2916
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:1564
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:4436
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- UAC bypass
PID:2576
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- UAC bypass
PID:4356
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Modifies visibility of file extensions in Explorer
PID:404
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:5044
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:2860
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:1624
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Modifies visibility of file extensions in Explorer
PID:2752
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a1⤵PID:1552
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"2⤵PID:628
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a3⤵PID:532
-
C:\Users\Admin\baQcEMMk\GUsQEMco.exe"C:\Users\Admin\baQcEMMk\GUsQEMco.exe"4⤵PID:4024
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 3725⤵
- Program crash
PID:5092
-
-
-
C:\ProgramData\SMgIwYko\gmMgcIIw.exe"C:\ProgramData\SMgIwYko\gmMgcIIw.exe"4⤵PID:2352
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 2645⤵
- Program crash
PID:980
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"4⤵PID:4708
-
C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exeC:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a5⤵PID:4796
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a"6⤵PID:5112
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f4⤵PID:1548
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 24⤵PID:4240
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 14⤵PID:2628
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:1176
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yIgIAcEM.bat" "C:\Users\Admin\AppData\Local\Temp\84d45396fbffe5777785740763f5ca8a5afe37f1e662c81c042a9c03050bb59a.exe""2⤵PID:3880
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵PID:3596
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:2080
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵PID:4664
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- UAC bypass
PID:4464
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵PID:208
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2352 -ip 23522⤵PID:2260
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4024 -ip 40242⤵PID:2164
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3436 -ip 34362⤵PID:2636
-
-
C:\ProgramData\RiUQUIQE\rkgEQgEo.exeC:\ProgramData\RiUQUIQE\rkgEQgEo.exe1⤵PID:3436
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 4122⤵
- Program crash
PID:4276
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
- Modifies visibility of file extensions in Explorer
PID:2224
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
434KB
MD5291908a48d98ad729c5b4e14df866265
SHA167de0e0f895a15a5483ae2e3a2272c8b78ae6fc8
SHA256f25ebe9f348eac6bd1be458444a80e194081dd961eaab0597ff21217a6def696
SHA512cc7c6ff4ad18496393ef799ed02b4814c028e42ddfab82f5cbfa37ff6adb2af70c0999b7a64b2350d15ac6ef9df4edbf4d0e250ffe6a8af9f3198b7c924ba0f1
-
Filesize
434KB
MD5291908a48d98ad729c5b4e14df866265
SHA167de0e0f895a15a5483ae2e3a2272c8b78ae6fc8
SHA256f25ebe9f348eac6bd1be458444a80e194081dd961eaab0597ff21217a6def696
SHA512cc7c6ff4ad18496393ef799ed02b4814c028e42ddfab82f5cbfa37ff6adb2af70c0999b7a64b2350d15ac6ef9df4edbf4d0e250ffe6a8af9f3198b7c924ba0f1
-
Filesize
429KB
MD5ec68c1987b8b9aa5108bbbf84a5b8dc5
SHA1881cf38b3014eb28e9f6c58400bfae91196dd703
SHA256c2d7cd668dc71ffb22455ca593444ac306fda732619582b84d7c5c5429b37717
SHA512a852c759ec7b227c1e31a93ce7f027f31a0e17a043b52820584b75488fdc7a7bd526cc9cc9b08ae2f6980d07609dfb45359d75620a88c4fbf2f6b672f454ce5c
-
Filesize
429KB
MD5ec68c1987b8b9aa5108bbbf84a5b8dc5
SHA1881cf38b3014eb28e9f6c58400bfae91196dd703
SHA256c2d7cd668dc71ffb22455ca593444ac306fda732619582b84d7c5c5429b37717
SHA512a852c759ec7b227c1e31a93ce7f027f31a0e17a043b52820584b75488fdc7a7bd526cc9cc9b08ae2f6980d07609dfb45359d75620a88c4fbf2f6b672f454ce5c
-
Filesize
6KB
MD5f2139758e1ca788944e3d676ffdf569d
SHA1ac4ba97181837b96227c14b9b7dacee876688f14
SHA256e6886ff1f0d7ba5f6fafe66d8de31dcac805690e3a2c23aa22e4854db03be58d
SHA5124e43e97bd24a6f258872392685f0699faa8f6de78e9685b368f2b277794fb6866b4462eaf906b01bc11e4d1d4e8a064c6948b0aba2146b6800bd3957675bb3b1
-
Filesize
6KB
MD5f2139758e1ca788944e3d676ffdf569d
SHA1ac4ba97181837b96227c14b9b7dacee876688f14
SHA256e6886ff1f0d7ba5f6fafe66d8de31dcac805690e3a2c23aa22e4854db03be58d
SHA5124e43e97bd24a6f258872392685f0699faa8f6de78e9685b368f2b277794fb6866b4462eaf906b01bc11e4d1d4e8a064c6948b0aba2146b6800bd3957675bb3b1
-
Filesize
6KB
MD5f2139758e1ca788944e3d676ffdf569d
SHA1ac4ba97181837b96227c14b9b7dacee876688f14
SHA256e6886ff1f0d7ba5f6fafe66d8de31dcac805690e3a2c23aa22e4854db03be58d
SHA5124e43e97bd24a6f258872392685f0699faa8f6de78e9685b368f2b277794fb6866b4462eaf906b01bc11e4d1d4e8a064c6948b0aba2146b6800bd3957675bb3b1
-
Filesize
6KB
MD5f2139758e1ca788944e3d676ffdf569d
SHA1ac4ba97181837b96227c14b9b7dacee876688f14
SHA256e6886ff1f0d7ba5f6fafe66d8de31dcac805690e3a2c23aa22e4854db03be58d
SHA5124e43e97bd24a6f258872392685f0699faa8f6de78e9685b368f2b277794fb6866b4462eaf906b01bc11e4d1d4e8a064c6948b0aba2146b6800bd3957675bb3b1
-
Filesize
6KB
MD5f2139758e1ca788944e3d676ffdf569d
SHA1ac4ba97181837b96227c14b9b7dacee876688f14
SHA256e6886ff1f0d7ba5f6fafe66d8de31dcac805690e3a2c23aa22e4854db03be58d
SHA5124e43e97bd24a6f258872392685f0699faa8f6de78e9685b368f2b277794fb6866b4462eaf906b01bc11e4d1d4e8a064c6948b0aba2146b6800bd3957675bb3b1
-
Filesize
6KB
MD5f2139758e1ca788944e3d676ffdf569d
SHA1ac4ba97181837b96227c14b9b7dacee876688f14
SHA256e6886ff1f0d7ba5f6fafe66d8de31dcac805690e3a2c23aa22e4854db03be58d
SHA5124e43e97bd24a6f258872392685f0699faa8f6de78e9685b368f2b277794fb6866b4462eaf906b01bc11e4d1d4e8a064c6948b0aba2146b6800bd3957675bb3b1
-
Filesize
6KB
MD5f2139758e1ca788944e3d676ffdf569d
SHA1ac4ba97181837b96227c14b9b7dacee876688f14
SHA256e6886ff1f0d7ba5f6fafe66d8de31dcac805690e3a2c23aa22e4854db03be58d
SHA5124e43e97bd24a6f258872392685f0699faa8f6de78e9685b368f2b277794fb6866b4462eaf906b01bc11e4d1d4e8a064c6948b0aba2146b6800bd3957675bb3b1
-
Filesize
6KB
MD5f2139758e1ca788944e3d676ffdf569d
SHA1ac4ba97181837b96227c14b9b7dacee876688f14
SHA256e6886ff1f0d7ba5f6fafe66d8de31dcac805690e3a2c23aa22e4854db03be58d
SHA5124e43e97bd24a6f258872392685f0699faa8f6de78e9685b368f2b277794fb6866b4462eaf906b01bc11e4d1d4e8a064c6948b0aba2146b6800bd3957675bb3b1
-
Filesize
6KB
MD5f2139758e1ca788944e3d676ffdf569d
SHA1ac4ba97181837b96227c14b9b7dacee876688f14
SHA256e6886ff1f0d7ba5f6fafe66d8de31dcac805690e3a2c23aa22e4854db03be58d
SHA5124e43e97bd24a6f258872392685f0699faa8f6de78e9685b368f2b277794fb6866b4462eaf906b01bc11e4d1d4e8a064c6948b0aba2146b6800bd3957675bb3b1
-
Filesize
6KB
MD5f2139758e1ca788944e3d676ffdf569d
SHA1ac4ba97181837b96227c14b9b7dacee876688f14
SHA256e6886ff1f0d7ba5f6fafe66d8de31dcac805690e3a2c23aa22e4854db03be58d
SHA5124e43e97bd24a6f258872392685f0699faa8f6de78e9685b368f2b277794fb6866b4462eaf906b01bc11e4d1d4e8a064c6948b0aba2146b6800bd3957675bb3b1
-
Filesize
6KB
MD5f2139758e1ca788944e3d676ffdf569d
SHA1ac4ba97181837b96227c14b9b7dacee876688f14
SHA256e6886ff1f0d7ba5f6fafe66d8de31dcac805690e3a2c23aa22e4854db03be58d
SHA5124e43e97bd24a6f258872392685f0699faa8f6de78e9685b368f2b277794fb6866b4462eaf906b01bc11e4d1d4e8a064c6948b0aba2146b6800bd3957675bb3b1
-
Filesize
6KB
MD5f2139758e1ca788944e3d676ffdf569d
SHA1ac4ba97181837b96227c14b9b7dacee876688f14
SHA256e6886ff1f0d7ba5f6fafe66d8de31dcac805690e3a2c23aa22e4854db03be58d
SHA5124e43e97bd24a6f258872392685f0699faa8f6de78e9685b368f2b277794fb6866b4462eaf906b01bc11e4d1d4e8a064c6948b0aba2146b6800bd3957675bb3b1
-
Filesize
6KB
MD5f2139758e1ca788944e3d676ffdf569d
SHA1ac4ba97181837b96227c14b9b7dacee876688f14
SHA256e6886ff1f0d7ba5f6fafe66d8de31dcac805690e3a2c23aa22e4854db03be58d
SHA5124e43e97bd24a6f258872392685f0699faa8f6de78e9685b368f2b277794fb6866b4462eaf906b01bc11e4d1d4e8a064c6948b0aba2146b6800bd3957675bb3b1
-
Filesize
6KB
MD5f2139758e1ca788944e3d676ffdf569d
SHA1ac4ba97181837b96227c14b9b7dacee876688f14
SHA256e6886ff1f0d7ba5f6fafe66d8de31dcac805690e3a2c23aa22e4854db03be58d
SHA5124e43e97bd24a6f258872392685f0699faa8f6de78e9685b368f2b277794fb6866b4462eaf906b01bc11e4d1d4e8a064c6948b0aba2146b6800bd3957675bb3b1
-
Filesize
6KB
MD5f2139758e1ca788944e3d676ffdf569d
SHA1ac4ba97181837b96227c14b9b7dacee876688f14
SHA256e6886ff1f0d7ba5f6fafe66d8de31dcac805690e3a2c23aa22e4854db03be58d
SHA5124e43e97bd24a6f258872392685f0699faa8f6de78e9685b368f2b277794fb6866b4462eaf906b01bc11e4d1d4e8a064c6948b0aba2146b6800bd3957675bb3b1
-
Filesize
6KB
MD5f2139758e1ca788944e3d676ffdf569d
SHA1ac4ba97181837b96227c14b9b7dacee876688f14
SHA256e6886ff1f0d7ba5f6fafe66d8de31dcac805690e3a2c23aa22e4854db03be58d
SHA5124e43e97bd24a6f258872392685f0699faa8f6de78e9685b368f2b277794fb6866b4462eaf906b01bc11e4d1d4e8a064c6948b0aba2146b6800bd3957675bb3b1
-
Filesize
6KB
MD5f2139758e1ca788944e3d676ffdf569d
SHA1ac4ba97181837b96227c14b9b7dacee876688f14
SHA256e6886ff1f0d7ba5f6fafe66d8de31dcac805690e3a2c23aa22e4854db03be58d
SHA5124e43e97bd24a6f258872392685f0699faa8f6de78e9685b368f2b277794fb6866b4462eaf906b01bc11e4d1d4e8a064c6948b0aba2146b6800bd3957675bb3b1
-
Filesize
6KB
MD5f2139758e1ca788944e3d676ffdf569d
SHA1ac4ba97181837b96227c14b9b7dacee876688f14
SHA256e6886ff1f0d7ba5f6fafe66d8de31dcac805690e3a2c23aa22e4854db03be58d
SHA5124e43e97bd24a6f258872392685f0699faa8f6de78e9685b368f2b277794fb6866b4462eaf906b01bc11e4d1d4e8a064c6948b0aba2146b6800bd3957675bb3b1
-
Filesize
6KB
MD5f2139758e1ca788944e3d676ffdf569d
SHA1ac4ba97181837b96227c14b9b7dacee876688f14
SHA256e6886ff1f0d7ba5f6fafe66d8de31dcac805690e3a2c23aa22e4854db03be58d
SHA5124e43e97bd24a6f258872392685f0699faa8f6de78e9685b368f2b277794fb6866b4462eaf906b01bc11e4d1d4e8a064c6948b0aba2146b6800bd3957675bb3b1
-
Filesize
6KB
MD5f2139758e1ca788944e3d676ffdf569d
SHA1ac4ba97181837b96227c14b9b7dacee876688f14
SHA256e6886ff1f0d7ba5f6fafe66d8de31dcac805690e3a2c23aa22e4854db03be58d
SHA5124e43e97bd24a6f258872392685f0699faa8f6de78e9685b368f2b277794fb6866b4462eaf906b01bc11e4d1d4e8a064c6948b0aba2146b6800bd3957675bb3b1
-
Filesize
112B
MD5bae1095f340720d965898063fede1273
SHA1455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA5124e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024
-
Filesize
112B
MD5bae1095f340720d965898063fede1273
SHA1455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA5124e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024
-
Filesize
112B
MD5bae1095f340720d965898063fede1273
SHA1455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA5124e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024
-
Filesize
112B
MD5bae1095f340720d965898063fede1273
SHA1455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA5124e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024
-
Filesize
112B
MD5bae1095f340720d965898063fede1273
SHA1455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA5124e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024
-
Filesize
112B
MD5bae1095f340720d965898063fede1273
SHA1455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA5124e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024
-
Filesize
112B
MD5bae1095f340720d965898063fede1273
SHA1455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA5124e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024
-
Filesize
112B
MD5bae1095f340720d965898063fede1273
SHA1455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA5124e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024
-
Filesize
112B
MD5bae1095f340720d965898063fede1273
SHA1455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA5124e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024
-
Filesize
112B
MD5bae1095f340720d965898063fede1273
SHA1455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA5124e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024
-
Filesize
19B
MD54afb5c4527091738faf9cd4addf9d34e
SHA1170ba9d866894c1b109b62649b1893eb90350459
SHA25659d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA51216d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5
-
Filesize
19B
MD54afb5c4527091738faf9cd4addf9d34e
SHA1170ba9d866894c1b109b62649b1893eb90350459
SHA25659d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA51216d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5
-
Filesize
19B
MD54afb5c4527091738faf9cd4addf9d34e
SHA1170ba9d866894c1b109b62649b1893eb90350459
SHA25659d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA51216d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5
-
Filesize
19B
MD54afb5c4527091738faf9cd4addf9d34e
SHA1170ba9d866894c1b109b62649b1893eb90350459
SHA25659d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA51216d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5
-
Filesize
19B
MD54afb5c4527091738faf9cd4addf9d34e
SHA1170ba9d866894c1b109b62649b1893eb90350459
SHA25659d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA51216d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5
-
Filesize
19B
MD54afb5c4527091738faf9cd4addf9d34e
SHA1170ba9d866894c1b109b62649b1893eb90350459
SHA25659d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA51216d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5
-
Filesize
19B
MD54afb5c4527091738faf9cd4addf9d34e
SHA1170ba9d866894c1b109b62649b1893eb90350459
SHA25659d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA51216d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5
-
Filesize
19B
MD54afb5c4527091738faf9cd4addf9d34e
SHA1170ba9d866894c1b109b62649b1893eb90350459
SHA25659d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA51216d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5
-
Filesize
19B
MD54afb5c4527091738faf9cd4addf9d34e
SHA1170ba9d866894c1b109b62649b1893eb90350459
SHA25659d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA51216d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5
-
Filesize
19B
MD54afb5c4527091738faf9cd4addf9d34e
SHA1170ba9d866894c1b109b62649b1893eb90350459
SHA25659d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA51216d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5
-
Filesize
19B
MD54afb5c4527091738faf9cd4addf9d34e
SHA1170ba9d866894c1b109b62649b1893eb90350459
SHA25659d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA51216d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5
-
Filesize
19B
MD54afb5c4527091738faf9cd4addf9d34e
SHA1170ba9d866894c1b109b62649b1893eb90350459
SHA25659d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA51216d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5
-
Filesize
19B
MD54afb5c4527091738faf9cd4addf9d34e
SHA1170ba9d866894c1b109b62649b1893eb90350459
SHA25659d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA51216d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5
-
Filesize
19B
MD54afb5c4527091738faf9cd4addf9d34e
SHA1170ba9d866894c1b109b62649b1893eb90350459
SHA25659d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA51216d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5
-
Filesize
19B
MD54afb5c4527091738faf9cd4addf9d34e
SHA1170ba9d866894c1b109b62649b1893eb90350459
SHA25659d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA51216d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5
-
Filesize
19B
MD54afb5c4527091738faf9cd4addf9d34e
SHA1170ba9d866894c1b109b62649b1893eb90350459
SHA25659d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA51216d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5
-
Filesize
19B
MD54afb5c4527091738faf9cd4addf9d34e
SHA1170ba9d866894c1b109b62649b1893eb90350459
SHA25659d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA51216d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5
-
Filesize
19B
MD54afb5c4527091738faf9cd4addf9d34e
SHA1170ba9d866894c1b109b62649b1893eb90350459
SHA25659d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA51216d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5
-
Filesize
112B
MD5bae1095f340720d965898063fede1273
SHA1455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA5124e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024
-
Filesize
112B
MD5bae1095f340720d965898063fede1273
SHA1455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA5124e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024
-
Filesize
112B
MD5bae1095f340720d965898063fede1273
SHA1455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA5124e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024
-
Filesize
112B
MD5bae1095f340720d965898063fede1273
SHA1455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA5124e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024
-
Filesize
112B
MD5bae1095f340720d965898063fede1273
SHA1455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA5124e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024
-
Filesize
112B
MD5bae1095f340720d965898063fede1273
SHA1455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA5124e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024
-
Filesize
112B
MD5bae1095f340720d965898063fede1273
SHA1455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA5124e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024
-
Filesize
112B
MD5bae1095f340720d965898063fede1273
SHA1455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA5124e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024
-
Filesize
112B
MD5bae1095f340720d965898063fede1273
SHA1455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA5124e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024
-
Filesize
112B
MD5bae1095f340720d965898063fede1273
SHA1455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA5124e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024
-
Filesize
430KB
MD577edc9f8261fd11ab7ff7482b125142a
SHA18d39f68e16162ada5d32fbe7e2535e20f651f37c
SHA256613dbda5f7ca2c44c5247eae8cb1588be2da8ccb4428c13ca3429ac6e2164021
SHA512010abf68d27e3e558bac065d69beb46c5a6e110dfe3f13cfb7778f27bf5d7e447379fd2f387fd7823c89ee00fb4c7b5fa62597a74bc044ccb200e88146369a37
-
Filesize
430KB
MD577edc9f8261fd11ab7ff7482b125142a
SHA18d39f68e16162ada5d32fbe7e2535e20f651f37c
SHA256613dbda5f7ca2c44c5247eae8cb1588be2da8ccb4428c13ca3429ac6e2164021
SHA512010abf68d27e3e558bac065d69beb46c5a6e110dfe3f13cfb7778f27bf5d7e447379fd2f387fd7823c89ee00fb4c7b5fa62597a74bc044ccb200e88146369a37