Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
06-11-2022 19:32
General
-
Target
fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7.exe
-
Size
495KB
-
MD5
0deecb315eb35cd6ed16af00d987f160
-
SHA1
c4c8f0f1282709ec173008a14f9c3726501ec100
-
SHA256
fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7
-
SHA512
a513c917c52e5f01a63c0049a1e39a3100dd33da04864b5b214ea704188a60310ba9fccf919c8104e5bf8b73f4769a1ba1c1cec49d9dfe6c12b474f68a85fd7b
-
SSDEEP
12288:FgyohFzwp4jpZBjaPV7G4XvCCnwIOVEFasfpEKlSgl:FgJdwp6PBqPfCiwrVEIsFf
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
-
UAC bypass 3 TTPs 64 IoCs
-
Executes dropped EXE 3 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Checks whether UAC is enabled 1 TTPs 6 IoCs
-
Drops file in System32 directory 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry key 1 TTPs 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7.exe"C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\POsYcgwE\ESEgIUIk.exe"C:\Users\Admin\POsYcgwE\ESEgIUIk.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
-
-
C:\ProgramData\HqwgIwoY\YCoQAsQk.exe"C:\ProgramData\HqwgIwoY\YCoQAsQk.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7.exeC:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f73⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7.exeC:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f75⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7.exeC:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f77⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7"8⤵
-
C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7.exeC:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f79⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7"10⤵
-
C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7.exeC:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f711⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7"12⤵
-
C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7.exeC:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f713⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7"14⤵
-
C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7.exeC:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f715⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7"16⤵
-
C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7.exeC:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f717⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7"18⤵
-
C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7.exeC:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f719⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7"20⤵
-
C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7.exeC:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f721⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7"22⤵
-
C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7.exeC:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f723⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7"24⤵
-
C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7.exeC:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f725⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7"26⤵
-
C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7.exeC:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f727⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7"28⤵
-
C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7.exeC:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f729⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7"30⤵
-
C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7.exeC:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f731⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7"32⤵
-
C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7.exeC:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f733⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7"34⤵
-
C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7.exeC:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f735⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7"36⤵
-
C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7.exeC:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f737⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7"38⤵
-
C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7.exeC:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f739⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7"40⤵
-
C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7.exeC:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f741⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7"42⤵
-
C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7.exeC:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f743⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7"44⤵
-
C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7.exeC:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f745⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7"46⤵
-
C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7.exeC:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f747⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7"48⤵
-
C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7.exeC:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f749⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7"50⤵
-
C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7.exeC:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f751⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7"52⤵
-
C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7.exeC:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f753⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7"54⤵
-
C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7.exeC:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f755⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7"56⤵
-
C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7.exeC:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f757⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7"58⤵
-
C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7.exeC:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f759⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7"60⤵
-
C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7.exeC:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f761⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7"62⤵
-
C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7.exeC:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f763⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7"64⤵
-
C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7.exeC:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f765⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7"66⤵
-
C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7.exeC:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f767⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7"68⤵
-
C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7.exeC:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f769⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7"70⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV171⤵
-
-
C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7.exeC:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f771⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7"72⤵
-
C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7.exeC:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f773⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7"74⤵
-
C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7.exeC:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f775⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7"76⤵
-
C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7.exeC:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f777⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7"78⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7.exeC:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f779⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7"80⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV181⤵
- UAC bypass
-
-
C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7.exeC:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f781⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7"82⤵
-
C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7.exeC:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f783⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7"84⤵
-
C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7.exeC:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f785⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7"86⤵
-
C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7.exeC:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f787⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7"88⤵
-
C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7.exeC:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f789⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7"90⤵
-
C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7.exeC:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f791⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7"92⤵
-
C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7.exeC:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f793⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7"94⤵
-
C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7.exeC:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f795⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7"96⤵
-
C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7.exeC:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f797⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7"98⤵
-
C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7.exeC:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f799⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7"100⤵
-
C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7.exeC:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7101⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7"102⤵
-
C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7.exeC:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7103⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7"104⤵
-
C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7.exeC:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7105⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7"106⤵
-
C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7.exeC:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7107⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7"108⤵
-
C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7.exeC:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7109⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7"110⤵
-
C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7.exeC:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7111⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7"112⤵
-
C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7.exeC:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7113⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7"114⤵
-
C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7.exeC:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7115⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7"116⤵
-
C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7.exeC:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7117⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7"118⤵
-
C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7.exeC:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7119⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7"120⤵
-
C:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7.exeC:\Users\Admin\AppData\Local\Temp\fbd76c2b47bbbbf3e2ecc3fbd73bc5a22e237efad379b74ed9c5ac4906e237f7121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-