Analysis
-
max time kernel
155s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
30-10-2022 22:29
General
-
Target
4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1.exe
-
Size
439KB
-
MD5
a0a94f9d75cdb129408381ff11a95640
-
SHA1
07c4d9ad5db1c6fa1e408653042132c95733e4cb
-
SHA256
4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1
-
SHA512
da63bd18bd70ae019b3dd6105920b670c849d73b40ca7971eb491b30df8fbf03c2b45868b8c9c79b44e58034948a64d7d6c67ba00e4aae8e4781de0041398262
-
SSDEEP
12288:xbFDBR0x9PTTJ8cDqgYpbcaivDgaTNL/3PLiQwfoD:/kx9vSaq7bcaogofPU4
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
-
UAC bypass 3 TTPs 64 IoCs
-
Executes dropped EXE 3 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Drops file in System32 directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry key 1 TTPs 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1.exe"C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\sawMUsUE\tsgYgwkI.exe"C:\Users\Admin\sawMUsUE\tsgYgwkI.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
-
-
C:\ProgramData\KisMkgoI\OycIYwYw.exe"C:\ProgramData\KisMkgoI\OycIYwYw.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1.exeC:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee13⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1.exeC:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee15⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1.exeC:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee17⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1"8⤵
-
C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1.exeC:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee19⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1"10⤵
-
C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1.exeC:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee111⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1"12⤵
-
C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1.exeC:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee113⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1"14⤵
-
C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1.exeC:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee115⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1"16⤵
-
C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1.exeC:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee117⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1"18⤵
-
C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1.exeC:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee119⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1"20⤵
-
C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1.exeC:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee121⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1"22⤵
-
C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1.exeC:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee123⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1"24⤵
-
C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1.exeC:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee125⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1"26⤵
-
C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1.exeC:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee127⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1"28⤵
-
C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1.exeC:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee129⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1"30⤵
-
C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1.exeC:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee131⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1"32⤵
-
C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1.exeC:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee133⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1"34⤵
-
C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1.exeC:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee135⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1"36⤵
-
C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1.exeC:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee137⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1"38⤵
-
C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1.exeC:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee139⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1"40⤵
-
C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1.exeC:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee141⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1"42⤵
-
C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1.exeC:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee143⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1"44⤵
-
C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1.exeC:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee145⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1"46⤵
-
C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1.exeC:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee147⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1"48⤵
-
C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1.exeC:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee149⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1"50⤵
-
C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1.exeC:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee151⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1"52⤵
-
C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1.exeC:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee153⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1"54⤵
-
C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1.exeC:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee155⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1"56⤵
-
C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1.exeC:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee157⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1"58⤵
-
C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1.exeC:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee159⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1"60⤵
-
C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1.exeC:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee161⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1"62⤵
-
C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1.exeC:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee163⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1"64⤵
-
C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1.exeC:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee165⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1"66⤵
-
C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1.exeC:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee167⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1"68⤵
-
C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1.exeC:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee169⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1"70⤵
-
C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1.exeC:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee171⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1"72⤵
-
C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1.exeC:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee173⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1"74⤵
-
C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1.exeC:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee175⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1"76⤵
-
C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1.exeC:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee177⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1"78⤵
-
C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1.exeC:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee179⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1"80⤵
-
C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1.exeC:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee181⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1"82⤵
-
C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1.exeC:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee183⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1"84⤵
-
C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1.exeC:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee185⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1"86⤵
-
C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1.exeC:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee187⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1"88⤵
-
C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1.exeC:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee189⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1"90⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1.exeC:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee191⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1"92⤵
-
C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1.exeC:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee193⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1"94⤵
-
C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1.exeC:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee195⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1"96⤵
-
C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1.exeC:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee197⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1"98⤵
-
C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1.exeC:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee199⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1"100⤵
-
C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1.exeC:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1101⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1"102⤵
-
C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1.exeC:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1103⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1"104⤵
-
C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1.exeC:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1105⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1"106⤵
-
C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1.exeC:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1107⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1"108⤵
-
C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1.exeC:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1109⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1"110⤵
-
C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1.exeC:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1111⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1"112⤵
-
C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1.exeC:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1113⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1"114⤵
-
C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1.exeC:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1115⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1"116⤵
-
C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1.exeC:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1117⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1"118⤵
-
C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1.exeC:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1119⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1"120⤵
-
C:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1.exeC:\Users\Admin\AppData\Local\Temp\4dc8a9e492072b41f29c8f80c303f88b3ed98cc35b2ba641d7dcfa7b8aafaee1121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-