Analysis
-
max time kernel
188s -
max time network
198s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
30/10/2022, 22:26
General
-
Target
862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exe
-
Size
493KB
-
MD5
91bd1e636e9b22b27ee5ff26c0013b90
-
SHA1
780e4aaf6645b9acb08db9a31297531e27166941
-
SHA256
862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31
-
SHA512
3a2fbcefe28e103141f1bda319d9ffc9d44d249b0a5755c292e282f8047fff8678964d291733eaeab630fab30e0daa54ebcc3bf7b63b17434a5d93db53032feb
-
SSDEEP
12288:Ij/tO6OU85qlIFAktw4Pi0YYIJgXa6ESJy8AR5SJ:qHOJqWmkpPi0YYIJiPN6A
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
-
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 64 IoCs
-
Executes dropped EXE 3 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Drops file in System32 directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry key 1 TTPs 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exe"C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\YIAQIIMY\tEAsEcUU.exe"C:\Users\Admin\YIAQIIMY\tEAsEcUU.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
-
-
C:\ProgramData\VUsIwgMY\nqgocoEI.exe"C:\ProgramData\VUsIwgMY\nqgocoEI.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc313⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 14⤵
- Modifies visibility of file extensions in Explorer
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BWAYoIAc.bat" "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exe""4⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs5⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f4⤵
- UAC bypass
- Modifies registry key
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 24⤵
- Modifies registry key
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"4⤵
- Suspicious use of WriteProcessMemory
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xsgQIAss.bat" "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exe""2⤵
-
-
C:\ProgramData\iccwQYUU\kekUEIUk.exeC:\ProgramData\iccwQYUU\kekUEIUk.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VEkooQcA.bat" "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exe""1⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs2⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"1⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc312⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BIIQEIsk.bat" "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exe""3⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs4⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"4⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc315⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zMkAoMIk.bat" "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exe""6⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs7⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f6⤵
- UAC bypass
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 26⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 16⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"6⤵
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 24⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WyIcYIwE.bat" "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exe""4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fKwUkoIs.bat" "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exe""5⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs6⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f5⤵
- UAC bypass
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 25⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 15⤵
- Modifies visibility of file extensions in Explorer
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 14⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"3⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc314⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 25⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZMEQkAMo.bat" "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exe""5⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs6⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f5⤵
- UAC bypass
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 15⤵
- Modifies visibility of file extensions in Explorer
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"5⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc311⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc311⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"2⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc313⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 24⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dEIQIogE.bat" "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exe""4⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs5⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f4⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 14⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"4⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs5⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"1⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PcgEEssM.bat" "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exe""1⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MwMscUYg.bat" "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exe""1⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc311⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"2⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc313⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fUEgwIUg.bat" "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exe""2⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies visibility of file extensions in Explorer
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DiwsEwMI.bat" "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exe""1⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs2⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc313⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmMYwEAc.bat" "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exe""4⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs5⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f4⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 24⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 14⤵
- Modifies visibility of file extensions in Explorer
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"4⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc312⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"1⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc312⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zMUMUkos.bat" "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exe""3⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs4⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"3⤵
-
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jKoEwAgk.bat" "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exe""2⤵
- Process spawned unexpected child process
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- Process spawned unexpected child process
- UAC bypass
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
- Process spawned unexpected child process
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Process spawned unexpected child process
- Modifies registry key
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc311⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aUgkQssE.bat" "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exe""2⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies visibility of file extensions in Explorer
-
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc311⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"2⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wmgsQQkg.bat" "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exe""2⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- Modifies registry key
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
-
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc311⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"2⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc313⤵
- Modifies visibility of file extensions in Explorer
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc314⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lucsMMgs.bat" "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exe""2⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
-
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc311⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"2⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc313⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"4⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc315⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"6⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc317⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"8⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc319⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"10⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc3111⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"12⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc3113⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"14⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc3115⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"16⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc3117⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f16⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 216⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 116⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ygwcsQoc.bat" "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exe""16⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs17⤵
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 114⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f14⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KCcksUMo.bat" "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exe""14⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs15⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 214⤵
- Modifies registry key
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XegEgoYw.bat" "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exe""12⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs13⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f12⤵
- UAC bypass
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 212⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 112⤵
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 110⤵
- Modifies visibility of file extensions in Explorer
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dUQYYEUI.bat" "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exe""10⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs11⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f10⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 210⤵
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 18⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"9⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc3110⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"11⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc3112⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LCEAEksc.bat" "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exe""11⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f11⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 211⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 111⤵
- Modifies visibility of file extensions in Explorer
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jawMsEsY.bat" "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exe""9⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f9⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 29⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 19⤵
- Modifies registry key
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sQUcoEog.bat" "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exe""8⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs9⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f8⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 28⤵
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 16⤵
- Modifies visibility of file extensions in Explorer
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 26⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f6⤵
- UAC bypass
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hYIYAcQQ.bat" "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exe""6⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs7⤵
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 14⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tMAEIYgI.bat" "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exe""4⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs5⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f4⤵
- UAC bypass
- Modifies registry key
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 24⤵
- Modifies registry key
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies visibility of file extensions in Explorer
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IUUgcUsw.bat" "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exe""2⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- UAC bypass
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵
- UAC bypass
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"1⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵
- UAC bypass
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵
- Modifies registry key
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc311⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"1⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc311⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc311⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies registry key
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qusEIwEE.bat" "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exe""2⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- UAC bypass
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"2⤵
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"1⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc312⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"3⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc314⤵
-
-
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"1⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc312⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nCcIIwMc.bat" "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exe""3⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs4⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵
- UAC bypass
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"3⤵
-
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"1⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc312⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gMkkIYIY.bat" "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exe""3⤵
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
- Modifies visibility of file extensions in Explorer
-
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"1⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc312⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"3⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc314⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\loEIsEkI.bat" "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exe""5⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f5⤵
- UAC bypass
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 25⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 15⤵
- Modifies visibility of file extensions in Explorer
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"5⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HswkwgAo.bat" "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exe""3⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc314⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵
- UAC bypass
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵
-
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hUoUUMkY.bat" "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exe""1⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵
- UAC bypass
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ecgIYMoA.bat" "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exe""1⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs2⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵
- UAC bypass
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- UAC bypass
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies visibility of file extensions in Explorer
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"1⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc312⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"3⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc314⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"5⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc316⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"7⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc318⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"9⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc3110⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"11⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc3112⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"13⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc3114⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"15⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc3116⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"17⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc3118⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"19⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc3120⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"21⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc3122⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"23⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc3124⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"25⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc3126⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"27⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc3128⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"29⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc3130⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"31⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc3132⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"33⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc3134⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"35⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc3136⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"37⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc3138⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"39⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc3140⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"41⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc3142⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"43⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc3144⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"45⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc3146⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"47⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc3148⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"49⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc3150⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"51⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc3152⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"53⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc3154⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"55⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc3156⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"57⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc3158⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"59⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc3160⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"61⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc3162⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"63⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc3164⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"65⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc3166⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"67⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc3168⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"69⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc3170⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"71⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc3172⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aaYUMYQY.bat" "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exe""73⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs74⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f73⤵
- Modifies visibility of file extensions in Explorer
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 273⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 173⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TgcssUIg.bat" "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exe""71⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs72⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f71⤵
- UAC bypass
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 271⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 171⤵
- Modifies visibility of file extensions in Explorer
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RMgwEgIA.bat" "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exe""69⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs70⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f69⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 269⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 169⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fAsYoUEs.bat" "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exe""67⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs68⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f67⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 267⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 167⤵
- Modifies registry key
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 165⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f65⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eIEsMMwc.bat" "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exe""65⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs66⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 265⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eEIYMEgM.bat" "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exe""63⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs64⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f63⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 263⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 163⤵
- Modifies registry key
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MGcQoQQA.bat" "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exe""61⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs62⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f61⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 261⤵
- Modifies registry key
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 161⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wAUMgwoA.bat" "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exe""59⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs60⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f59⤵
- UAC bypass
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 259⤵
- Modifies registry key
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 159⤵
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 157⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zqMswoks.bat" "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exe""57⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs58⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f57⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 257⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DQcQAkQw.bat" "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exe""55⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs56⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f55⤵
- UAC bypass
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 255⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 155⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ciYMUQcQ.bat" "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exe""53⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs54⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f53⤵
- UAC bypass
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 253⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 153⤵
- Modifies visibility of file extensions in Explorer
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 151⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ySQEEwIA.bat" "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exe""51⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs52⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f51⤵
- UAC bypass
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 251⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KwIQAsYQ.bat" "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exe""49⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs50⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f49⤵
- UAC bypass
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 249⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 149⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GicgEEkc.bat" "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exe""47⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs48⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f47⤵
- UAC bypass
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 247⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 147⤵
- Modifies visibility of file extensions in Explorer
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iykAEoYk.bat" "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exe""45⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs46⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f45⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 245⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 145⤵
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f43⤵
- UAC bypass
- Modifies registry key
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BEcoYEoU.bat" "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exe""43⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs44⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 243⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 143⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oUgUYwQU.bat" "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exe""41⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs42⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f41⤵
- UAC bypass
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 241⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 141⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"40⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc3141⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"42⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc3143⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"44⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc3145⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"46⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc3147⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"48⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc3149⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"50⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc3151⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"52⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc3153⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"54⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc3155⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"56⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc3157⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"58⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc3159⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"60⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc3161⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"62⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc3163⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"64⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc3165⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"66⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc3167⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"68⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc3169⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"70⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc3171⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"72⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc3173⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"74⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc3175⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"76⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc3177⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"78⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc3179⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"80⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc3181⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"82⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc3183⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"84⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc3185⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"86⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc3187⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"88⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc3189⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"90⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc3191⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"92⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc3193⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"94⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc3195⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"96⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc3197⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"98⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc3199⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"100⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31101⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"102⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31103⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"104⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31105⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"106⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31107⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"108⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31109⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"110⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31111⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"112⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31113⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"114⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31115⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"116⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31117⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"118⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31119⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31"120⤵
-
C:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31.exeC:\Users\Admin\AppData\Local\Temp\862dfab82b9468b58c841bcc780c42835fb061d983298eac8f16b973137bdc31121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-