Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2023, 10:36
Static task
static1
Behavioral task
behavioral1
Sample
17b33dcdde306525f9dd0bce6b1b88dd.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
17b33dcdde306525f9dd0bce6b1b88dd.exe
Resource
win10v2004-20231215-en
General
-
Target
17b33dcdde306525f9dd0bce6b1b88dd.exe
-
Size
484KB
-
MD5
17b33dcdde306525f9dd0bce6b1b88dd
-
SHA1
d26781a26a1fd95cd6f59b4a1da7983062175695
-
SHA256
59f828a2ac3c9211c1f4108053106b4747fd0f5beec37480ac500beb1f213c62
-
SHA512
cb9374d93f274aa6eac44b7243473e0791ff942776aae5fcd4aa6aea6ba1b1ca1b0a3724ade7c0619ce191c79da975e558b3f1077b38afcbbc0ee583e73f7462
-
SSDEEP
12288:twZYOWYidkkN4mSDGHfL+ewv3dkZ54Med6rjNJ:yYOWF3GAwdkZbU6nNJ
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cmd.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cscript.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 17b33dcdde306525f9dd0bce6b1b88dd.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cmd.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cmd.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cscript.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 17b33dcdde306525f9dd0bce6b1b88dd.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cscript.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cmd.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 17b33dcdde306525f9dd0bce6b1b88dd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 17b33dcdde306525f9dd0bce6b1b88dd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 17b33dcdde306525f9dd0bce6b1b88dd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 17b33dcdde306525f9dd0bce6b1b88dd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 17b33dcdde306525f9dd0bce6b1b88dd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe -
Renames multiple (56) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation LYskoEIo.exe -
Executes dropped EXE 3 IoCs
pid Process 4624 LYskoEIo.exe 4080 JIEAoQss.exe 1308 usYcQYww.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LYskoEIo.exe = "C:\\Users\\Admin\\tAIMQEYU\\LYskoEIo.exe" 17b33dcdde306525f9dd0bce6b1b88dd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JIEAoQss.exe = "C:\\ProgramData\\kOAggckI\\JIEAoQss.exe" Conhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LYskoEIo.exe = "C:\\Users\\Admin\\tAIMQEYU\\LYskoEIo.exe" LYskoEIo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JIEAoQss.exe = "C:\\ProgramData\\kOAggckI\\JIEAoQss.exe" usYcQYww.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JIEAoQss.exe = "C:\\ProgramData\\kOAggckI\\JIEAoQss.exe" JIEAoQss.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 17b33dcdde306525f9dd0bce6b1b88dd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cscript.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 17b33dcdde306525f9dd0bce6b1b88dd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 17b33dcdde306525f9dd0bce6b1b88dd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 17b33dcdde306525f9dd0bce6b1b88dd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 17b33dcdde306525f9dd0bce6b1b88dd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 17b33dcdde306525f9dd0bce6b1b88dd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 17b33dcdde306525f9dd0bce6b1b88dd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 17b33dcdde306525f9dd0bce6b1b88dd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 17b33dcdde306525f9dd0bce6b1b88dd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 17b33dcdde306525f9dd0bce6b1b88dd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 17b33dcdde306525f9dd0bce6b1b88dd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 17b33dcdde306525f9dd0bce6b1b88dd.exe -
Drops file in System32 directory 7 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\sheShowDismount.gif LYskoEIo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\tAIMQEYU usYcQYww.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\tAIMQEYU\LYskoEIo usYcQYww.exe File created C:\Windows\SysWOW64\shell32.dll.exe LYskoEIo.exe File opened for modification C:\Windows\SysWOW64\sheGetUnlock.docm LYskoEIo.exe File opened for modification C:\Windows\SysWOW64\sheGroupSend.mp3 LYskoEIo.exe File opened for modification C:\Windows\SysWOW64\sheRevokeRequest.xls LYskoEIo.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 64 IoCs
pid Process 5000 reg.exe 1160 reg.exe 1316 reg.exe 1580 reg.exe 1176 reg.exe 4028 reg.exe 4052 reg.exe 1972 reg.exe 2284 reg.exe 3124 reg.exe 3824 reg.exe 1424 reg.exe 2508 reg.exe 1608 reg.exe 4268 reg.exe 4316 reg.exe 4264 reg.exe 4596 reg.exe 1492 reg.exe 1420 reg.exe 2160 reg.exe 4840 reg.exe 3504 reg.exe 2992 reg.exe 1912 reg.exe 4380 reg.exe 3540 reg.exe 4656 reg.exe 5000 reg.exe 2916 reg.exe 2148 reg.exe 3204 reg.exe 3200 reg.exe 3972 reg.exe 2296 reg.exe 4444 reg.exe 2284 reg.exe 452 reg.exe 1492 reg.exe 4384 reg.exe 1732 reg.exe 2356 reg.exe 2040 reg.exe 3616 reg.exe 744 reg.exe 2252 reg.exe 4400 reg.exe 964 reg.exe 4616 reg.exe 1436 reg.exe 3272 reg.exe 2544 reg.exe 4940 reg.exe 4984 reg.exe 1312 reg.exe 1176 reg.exe 4684 reg.exe 1100 reg.exe 1304 reg.exe 4916 reg.exe 640 reg.exe 1700 reg.exe 2072 reg.exe 3000 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4536 17b33dcdde306525f9dd0bce6b1b88dd.exe 4536 17b33dcdde306525f9dd0bce6b1b88dd.exe 4536 17b33dcdde306525f9dd0bce6b1b88dd.exe 4536 17b33dcdde306525f9dd0bce6b1b88dd.exe 2992 17b33dcdde306525f9dd0bce6b1b88dd.exe 2992 17b33dcdde306525f9dd0bce6b1b88dd.exe 2992 17b33dcdde306525f9dd0bce6b1b88dd.exe 2992 17b33dcdde306525f9dd0bce6b1b88dd.exe 3520 17b33dcdde306525f9dd0bce6b1b88dd.exe 3520 17b33dcdde306525f9dd0bce6b1b88dd.exe 3520 17b33dcdde306525f9dd0bce6b1b88dd.exe 3520 17b33dcdde306525f9dd0bce6b1b88dd.exe 2408 reg.exe 2408 reg.exe 2408 reg.exe 2408 reg.exe 228 17b33dcdde306525f9dd0bce6b1b88dd.exe 228 17b33dcdde306525f9dd0bce6b1b88dd.exe 228 17b33dcdde306525f9dd0bce6b1b88dd.exe 228 17b33dcdde306525f9dd0bce6b1b88dd.exe 1072 17b33dcdde306525f9dd0bce6b1b88dd.exe 1072 17b33dcdde306525f9dd0bce6b1b88dd.exe 1072 17b33dcdde306525f9dd0bce6b1b88dd.exe 1072 17b33dcdde306525f9dd0bce6b1b88dd.exe 3020 Conhost.exe 3020 Conhost.exe 3020 Conhost.exe 3020 Conhost.exe 4784 Conhost.exe 4784 Conhost.exe 4784 Conhost.exe 4784 Conhost.exe 320 17b33dcdde306525f9dd0bce6b1b88dd.exe 320 17b33dcdde306525f9dd0bce6b1b88dd.exe 320 17b33dcdde306525f9dd0bce6b1b88dd.exe 320 17b33dcdde306525f9dd0bce6b1b88dd.exe 1956 17b33dcdde306525f9dd0bce6b1b88dd.exe 1956 17b33dcdde306525f9dd0bce6b1b88dd.exe 1956 17b33dcdde306525f9dd0bce6b1b88dd.exe 1956 17b33dcdde306525f9dd0bce6b1b88dd.exe 3252 cmd.exe 3252 cmd.exe 3252 cmd.exe 3252 cmd.exe 224 17b33dcdde306525f9dd0bce6b1b88dd.exe 224 17b33dcdde306525f9dd0bce6b1b88dd.exe 224 17b33dcdde306525f9dd0bce6b1b88dd.exe 224 17b33dcdde306525f9dd0bce6b1b88dd.exe 2960 17b33dcdde306525f9dd0bce6b1b88dd.exe 2960 17b33dcdde306525f9dd0bce6b1b88dd.exe 2960 17b33dcdde306525f9dd0bce6b1b88dd.exe 2960 17b33dcdde306525f9dd0bce6b1b88dd.exe 1956 17b33dcdde306525f9dd0bce6b1b88dd.exe 1956 17b33dcdde306525f9dd0bce6b1b88dd.exe 1956 17b33dcdde306525f9dd0bce6b1b88dd.exe 1956 17b33dcdde306525f9dd0bce6b1b88dd.exe 3328 17b33dcdde306525f9dd0bce6b1b88dd.exe 3328 17b33dcdde306525f9dd0bce6b1b88dd.exe 3328 17b33dcdde306525f9dd0bce6b1b88dd.exe 3328 17b33dcdde306525f9dd0bce6b1b88dd.exe 320 17b33dcdde306525f9dd0bce6b1b88dd.exe 320 17b33dcdde306525f9dd0bce6b1b88dd.exe 320 17b33dcdde306525f9dd0bce6b1b88dd.exe 320 17b33dcdde306525f9dd0bce6b1b88dd.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4624 LYskoEIo.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4624 LYskoEIo.exe 4624 LYskoEIo.exe 4624 LYskoEIo.exe 4624 LYskoEIo.exe 4624 LYskoEIo.exe 4624 LYskoEIo.exe 4624 LYskoEIo.exe 4624 LYskoEIo.exe 4624 LYskoEIo.exe 4624 LYskoEIo.exe 4624 LYskoEIo.exe 4624 LYskoEIo.exe 4624 LYskoEIo.exe 4624 LYskoEIo.exe 4624 LYskoEIo.exe 4624 LYskoEIo.exe 4624 LYskoEIo.exe 4624 LYskoEIo.exe 4624 LYskoEIo.exe 4624 LYskoEIo.exe 4624 LYskoEIo.exe 4624 LYskoEIo.exe 4624 LYskoEIo.exe 4624 LYskoEIo.exe 4624 LYskoEIo.exe 4624 LYskoEIo.exe 4624 LYskoEIo.exe 4624 LYskoEIo.exe 4624 LYskoEIo.exe 4624 LYskoEIo.exe 4624 LYskoEIo.exe 4624 LYskoEIo.exe 4624 LYskoEIo.exe 4624 LYskoEIo.exe 4624 LYskoEIo.exe 4624 LYskoEIo.exe 4624 LYskoEIo.exe 4624 LYskoEIo.exe 4624 LYskoEIo.exe 4624 LYskoEIo.exe 4624 LYskoEIo.exe 4624 LYskoEIo.exe 4624 LYskoEIo.exe 4624 LYskoEIo.exe 4624 LYskoEIo.exe 4624 LYskoEIo.exe 4624 LYskoEIo.exe 4624 LYskoEIo.exe 4624 LYskoEIo.exe 4624 LYskoEIo.exe 4624 LYskoEIo.exe 4624 LYskoEIo.exe 4624 LYskoEIo.exe 4624 LYskoEIo.exe 4624 LYskoEIo.exe 4624 LYskoEIo.exe 4624 LYskoEIo.exe 4624 LYskoEIo.exe 4624 LYskoEIo.exe 4624 LYskoEIo.exe 4624 LYskoEIo.exe 4624 LYskoEIo.exe 4624 LYskoEIo.exe 4624 LYskoEIo.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4536 wrote to memory of 4624 4536 17b33dcdde306525f9dd0bce6b1b88dd.exe 91 PID 4536 wrote to memory of 4624 4536 17b33dcdde306525f9dd0bce6b1b88dd.exe 91 PID 4536 wrote to memory of 4624 4536 17b33dcdde306525f9dd0bce6b1b88dd.exe 91 PID 4536 wrote to memory of 4080 4536 Conhost.exe 92 PID 4536 wrote to memory of 4080 4536 Conhost.exe 92 PID 4536 wrote to memory of 4080 4536 Conhost.exe 92 PID 4536 wrote to memory of 1816 4536 Conhost.exe 1204 PID 4536 wrote to memory of 1816 4536 Conhost.exe 1204 PID 4536 wrote to memory of 1816 4536 Conhost.exe 1204 PID 1816 wrote to memory of 2992 1816 cmd.exe 1203 PID 1816 wrote to memory of 2992 1816 cmd.exe 1203 PID 1816 wrote to memory of 2992 1816 cmd.exe 1203 PID 4536 wrote to memory of 2116 4536 Conhost.exe 1202 PID 4536 wrote to memory of 2116 4536 Conhost.exe 1202 PID 4536 wrote to memory of 2116 4536 Conhost.exe 1202 PID 4536 wrote to memory of 3344 4536 Conhost.exe 1201 PID 4536 wrote to memory of 3344 4536 Conhost.exe 1201 PID 4536 wrote to memory of 3344 4536 Conhost.exe 1201 PID 4536 wrote to memory of 1652 4536 Conhost.exe 1200 PID 4536 wrote to memory of 1652 4536 Conhost.exe 1200 PID 4536 wrote to memory of 1652 4536 Conhost.exe 1200 PID 2992 wrote to memory of 4780 2992 17b33dcdde306525f9dd0bce6b1b88dd.exe 1199 PID 2992 wrote to memory of 4780 2992 17b33dcdde306525f9dd0bce6b1b88dd.exe 1199 PID 2992 wrote to memory of 4780 2992 17b33dcdde306525f9dd0bce6b1b88dd.exe 1199 PID 4780 wrote to memory of 3520 4780 cmd.exe 1198 PID 4780 wrote to memory of 3520 4780 cmd.exe 1198 PID 4780 wrote to memory of 3520 4780 cmd.exe 1198 PID 2992 wrote to memory of 3272 2992 17b33dcdde306525f9dd0bce6b1b88dd.exe 1197 PID 2992 wrote to memory of 3272 2992 17b33dcdde306525f9dd0bce6b1b88dd.exe 1197 PID 2992 wrote to memory of 3272 2992 17b33dcdde306525f9dd0bce6b1b88dd.exe 1197 PID 2992 wrote to memory of 1436 2992 17b33dcdde306525f9dd0bce6b1b88dd.exe 1196 PID 2992 wrote to memory of 1436 2992 17b33dcdde306525f9dd0bce6b1b88dd.exe 1196 PID 2992 wrote to memory of 1436 2992 17b33dcdde306525f9dd0bce6b1b88dd.exe 1196 PID 2992 wrote to memory of 2072 2992 17b33dcdde306525f9dd0bce6b1b88dd.exe 1194 PID 2992 wrote to memory of 2072 2992 17b33dcdde306525f9dd0bce6b1b88dd.exe 1194 PID 2992 wrote to memory of 2072 2992 17b33dcdde306525f9dd0bce6b1b88dd.exe 1194 PID 2992 wrote to memory of 4132 2992 17b33dcdde306525f9dd0bce6b1b88dd.exe 1127 PID 2992 wrote to memory of 4132 2992 17b33dcdde306525f9dd0bce6b1b88dd.exe 1127 PID 2992 wrote to memory of 4132 2992 17b33dcdde306525f9dd0bce6b1b88dd.exe 1127 PID 4132 wrote to memory of 4452 4132 cscript.exe 1134 PID 4132 wrote to memory of 4452 4132 cscript.exe 1134 PID 4132 wrote to memory of 4452 4132 cscript.exe 1134 PID 3520 wrote to memory of 3252 3520 17b33dcdde306525f9dd0bce6b1b88dd.exe 1191 PID 3520 wrote to memory of 3252 3520 17b33dcdde306525f9dd0bce6b1b88dd.exe 1191 PID 3520 wrote to memory of 3252 3520 17b33dcdde306525f9dd0bce6b1b88dd.exe 1191 PID 3252 wrote to memory of 2408 3252 cmd.exe 880 PID 3252 wrote to memory of 2408 3252 cmd.exe 880 PID 3252 wrote to memory of 2408 3252 cmd.exe 880 PID 3520 wrote to memory of 1700 3520 17b33dcdde306525f9dd0bce6b1b88dd.exe 1190 PID 3520 wrote to memory of 1700 3520 17b33dcdde306525f9dd0bce6b1b88dd.exe 1190 PID 3520 wrote to memory of 1700 3520 17b33dcdde306525f9dd0bce6b1b88dd.exe 1190 PID 3520 wrote to memory of 5000 3520 17b33dcdde306525f9dd0bce6b1b88dd.exe 1189 PID 3520 wrote to memory of 5000 3520 17b33dcdde306525f9dd0bce6b1b88dd.exe 1189 PID 3520 wrote to memory of 5000 3520 17b33dcdde306525f9dd0bce6b1b88dd.exe 1189 PID 3520 wrote to memory of 4616 3520 17b33dcdde306525f9dd0bce6b1b88dd.exe 1188 PID 3520 wrote to memory of 4616 3520 17b33dcdde306525f9dd0bce6b1b88dd.exe 1188 PID 3520 wrote to memory of 4616 3520 17b33dcdde306525f9dd0bce6b1b88dd.exe 1188 PID 3520 wrote to memory of 740 3520 17b33dcdde306525f9dd0bce6b1b88dd.exe 1187 PID 3520 wrote to memory of 740 3520 17b33dcdde306525f9dd0bce6b1b88dd.exe 1187 PID 3520 wrote to memory of 740 3520 17b33dcdde306525f9dd0bce6b1b88dd.exe 1187 PID 740 wrote to memory of 4308 740 cmd.exe 1183 PID 740 wrote to memory of 4308 740 cmd.exe 1183 PID 740 wrote to memory of 4308 740 cmd.exe 1183 PID 2408 wrote to memory of 4260 2408 reg.exe 1182 -
System policy modification 1 TTPs 40 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 17b33dcdde306525f9dd0bce6b1b88dd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 17b33dcdde306525f9dd0bce6b1b88dd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 17b33dcdde306525f9dd0bce6b1b88dd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 17b33dcdde306525f9dd0bce6b1b88dd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 17b33dcdde306525f9dd0bce6b1b88dd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 17b33dcdde306525f9dd0bce6b1b88dd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 17b33dcdde306525f9dd0bce6b1b88dd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 17b33dcdde306525f9dd0bce6b1b88dd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 17b33dcdde306525f9dd0bce6b1b88dd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 17b33dcdde306525f9dd0bce6b1b88dd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 17b33dcdde306525f9dd0bce6b1b88dd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 17b33dcdde306525f9dd0bce6b1b88dd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe"C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Users\Admin\tAIMQEYU\LYskoEIo.exe"C:\Users\Admin\tAIMQEYU\LYskoEIo.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:4624
-
-
C:\ProgramData\kOAggckI\JIEAoQss.exe"C:\ProgramData\kOAggckI\JIEAoQss.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4080
-
-
C:\ProgramData\FKgcsscA\usYcQYww.exeC:\ProgramData\FKgcsscA\usYcQYww.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1308
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\amAkEcME.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""1⤵PID:4132
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs2⤵PID:4452
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵
- Modifies visibility of file extensions in Explorer
PID:3424
-
-
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd1⤵PID:2408
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"1⤵PID:2256
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd2⤵PID:3020
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YOkQAQMQ.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""3⤵PID:4548
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵PID:4264
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd4⤵PID:1516
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵PID:4240
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵
- Modifies visibility of file extensions in Explorer
PID:460
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"3⤵PID:112
-
-
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd1⤵PID:4784
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"2⤵PID:2344
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:4028
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵PID:3500
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵PID:3220
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"1⤵PID:3184
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs2⤵PID:1732
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Suspicious behavior: EnumeratesProcesses
PID:3020
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"1⤵PID:2356
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd2⤵PID:1956
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"3⤵PID:2200
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sggoYwUo.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""3⤵PID:4708
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs4⤵PID:3548
-
-
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:2276
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:4448
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd1⤵PID:4940
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:3548
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd1⤵PID:4536
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"2⤵PID:1172
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd3⤵PID:5012
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VGggQEgI.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""4⤵PID:5116
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f4⤵PID:3548
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GUcMMckA.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""5⤵PID:3408
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f5⤵PID:1068
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 25⤵
- Modifies registry key
PID:2508
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 15⤵
- Modifies visibility of file extensions in Explorer
PID:1212
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"5⤵PID:944
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 24⤵PID:3544
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 14⤵
- Modifies registry key
PID:1176
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"4⤵PID:4604
-
-
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:1304
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd1⤵PID:3580
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:2072
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd2⤵PID:2160
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ewAkoAsA.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""3⤵PID:4644
-
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:4264
-
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd1⤵PID:1320
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:1972
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:216
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:3024
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs2⤵PID:3540
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yQYckAoo.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""2⤵
- Modifies visibility of file extensions in Explorer
PID:2356 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1176
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:228
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:1100
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵PID:4524
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd3⤵PID:4968
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"2⤵PID:4784
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:4076
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd1⤵PID:3368
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs2⤵PID:1560
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:1084
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd1⤵PID:208
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nWQggAow.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""2⤵PID:1072
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4544
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:392
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4960
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵
- Modifies registry key
PID:640
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd1⤵PID:2340
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DcYEUMMI.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""2⤵PID:4984
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4920
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- UAC bypass
PID:208 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵
- Modifies registry key
PID:2992 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f4⤵
- UAC bypass
- Modifies registry key
PID:2072
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 24⤵
- Modifies registry key
PID:1436
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 14⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:3272
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"4⤵
- UAC bypass
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4780
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵PID:4620
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd4⤵PID:4136
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵PID:1628
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"3⤵PID:4780
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:5060
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies visibility of file extensions in Explorer
PID:3160
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"2⤵PID:4548
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4032
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:4640
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"1⤵PID:2688
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd1⤵PID:3408
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oGQMIIcg.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""2⤵PID:1556
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:4268
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs2⤵PID:2612
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:424
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"1⤵PID:3728
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CKgQUYkA.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""1⤵PID:3424
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:4504
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd1⤵PID:3116
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd2⤵PID:1420
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"3⤵PID:424
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd4⤵PID:4700
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mAoMoEsc.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""5⤵PID:4052
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs6⤵PID:3436
-
-
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs4⤵PID:1648
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"1⤵PID:228
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs2⤵PID:3168
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:724
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd1⤵PID:4248
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd1⤵PID:4476
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:3344
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:920
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd1⤵PID:4656
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:320
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd1⤵PID:3424
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"2⤵PID:5116
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵PID:508
-
-
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd1⤵PID:4644
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"2⤵PID:2252
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd3⤵PID:2292
-
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:4916
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd1⤵PID:3844
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:2764
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs2⤵PID:4976
-
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd1⤵PID:3636
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"1⤵PID:4784
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd2⤵PID:3548
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4340
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nGQYoksM.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""3⤵PID:112
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵PID:2408
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
- UAC bypass
PID:4852
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵PID:4336
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YIoYEIEk.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""4⤵PID:4224
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
PID:4384 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
- UAC bypass
PID:4724
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 24⤵PID:1304
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 14⤵PID:1580
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"4⤵PID:2168
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs5⤵PID:4492
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs6⤵PID:4964
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:4916
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵PID:3424
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VUAEUUIU.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""4⤵PID:3116
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LuUAgoIo.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""5⤵PID:3184
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd6⤵PID:3252
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f5⤵
- UAC bypass
PID:4396
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 25⤵PID:4092
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 15⤵PID:2584
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"5⤵PID:4700
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f4⤵PID:1556
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs5⤵PID:2380
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:4976
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 24⤵PID:4400
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 14⤵PID:836
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs4⤵PID:1380
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"3⤵PID:3116
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs4⤵PID:524
-
-
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:3844
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:1380
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd1⤵PID:3328
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:1328
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd1⤵PID:4340
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:4984
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:4248
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:3728
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd2⤵PID:2552
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2344
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd4⤵
- Suspicious behavior: EnumeratesProcesses
PID:320
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd1⤵PID:4712
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:4052
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:5000
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd1⤵PID:4700
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd2⤵PID:2552
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iYoYQEIw.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""3⤵PID:2252
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵
- UAC bypass
- Modifies registry key
PID:1312
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵PID:4688
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1160
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"3⤵PID:1944
-
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:4708
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd2⤵PID:4820
-
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd1⤵PID:4712
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"2⤵PID:2216
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jcYYwAgY.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""2⤵PID:4408
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3408
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 24⤵PID:3404
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 14⤵
- Modifies registry key
PID:2148
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"4⤵PID:4596
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- UAC bypass
PID:4644 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nuQwUYYM.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""3⤵PID:2036
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵PID:3360
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵
- Modifies registry key
PID:3972
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵
- Modifies visibility of file extensions in Explorer
PID:3616
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵PID:4276
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4248
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SUMkMcIE.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""4⤵PID:4688
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f4⤵PID:624
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 24⤵
- Modifies registry key
PID:2544
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 14⤵
- Modifies registry key
PID:1608 -
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd5⤵PID:3672
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"4⤵PID:2304
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:4684
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵PID:2544
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mskoQIEU.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""2⤵PID:3648
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:4780
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
- UAC bypass
PID:5044
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵PID:3368
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"2⤵PID:1172
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd3⤵
- Modifies visibility of file extensions in Explorer
- Checks whether UAC is enabled
- System policy modification
PID:3368
-
-
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd1⤵PID:4916
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:808
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs2⤵PID:4792
-
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd1⤵PID:3164
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:944
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd2⤵PID:2908
-
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd1⤵PID:4376
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"2⤵PID:4264
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd3⤵PID:2560
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UQQcoIUQ.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""2⤵PID:1196
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- Modifies registry key
PID:2296
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
- Modifies registry key
PID:2040
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies registry key
PID:3616 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gYcAgYEA.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""3⤵PID:2372
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:1616
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵PID:4376
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵PID:4248
-
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
- UAC bypass
PID:3000
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:2380
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd1⤵PID:3220
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:3076
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd1⤵PID:3824
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"2⤵PID:4104
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:3580
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd1⤵PID:4604
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:4476
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:1312
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd1⤵PID:4992
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MegoEwIw.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""2⤵PID:4276
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- Modifies registry key
PID:1492
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:4836
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵PID:2552
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵PID:2200
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵PID:3340
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:2144
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"3⤵PID:5116
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"2⤵PID:3404
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:3116
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd1⤵PID:3220
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oKogEMMg.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""2⤵PID:1196
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:744
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
- Modifies registry key
PID:4596 -
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd3⤵PID:4336
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies registry key
PID:1424
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"2⤵PID:3160
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nYUQgsgI.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""2⤵PID:1664
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- Modifies registry key
PID:3000
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:4860
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies registry key
PID:2356
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"2⤵PID:5092
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3636
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:3204
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd1⤵PID:3596
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"2⤵PID:4616
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UikQYMIU.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""2⤵PID:2764
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:2532
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:3928
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies registry key
PID:4264
-
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd1⤵PID:3216
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PUQsIMgU.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""2⤵PID:3772
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:1648
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
- Modifies registry key
PID:3272
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵PID:2228
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd3⤵PID:3740
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"2⤵PID:5044
-
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd1⤵PID:3648
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:2560
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QAIYIcQg.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""2⤵PID:4836
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4968
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:2144
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:2908
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AaEwEAQs.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""3⤵PID:3972
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵PID:4724
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵PID:1584
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵
- Modifies registry key
PID:1580
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"3⤵PID:1664
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies registry key
PID:4656 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JwYQUcwM.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""3⤵PID:3024
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵PID:1560
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵PID:4792
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵PID:3500
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"3⤵PID:5084
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
- UAC bypass
PID:1316
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"2⤵PID:1652
-
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd1⤵PID:2908
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pEYEckUA.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""2⤵PID:3192
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- Modifies registry key
PID:744
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:364
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bKsEQocg.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""3⤵PID:4920
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵
- UAC bypass
PID:4292
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵PID:4896
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵PID:4460
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"3⤵PID:2040
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3824 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zoYMAYEQ.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""3⤵PID:3408
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵PID:4132
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵PID:4960
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2252
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"2⤵PID:4908
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd3⤵PID:4336
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QWIUYoIU.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""4⤵
- Checks whether UAC is enabled
- System policy modification
PID:1492
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f4⤵PID:2160
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 24⤵PID:3204
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 14⤵
- Modifies registry key
PID:4684 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IqIAkkAo.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""5⤵PID:4960
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f5⤵
- Modifies visibility of file extensions in Explorer
PID:1424
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 25⤵PID:2256
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:508
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 15⤵PID:2228
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"5⤵PID:1916
-
-
-
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:1512
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd1⤵PID:4504
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"2⤵PID:4460
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GMEsAgwA.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""2⤵PID:2712
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- Modifies registry key
PID:452
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:2336
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵PID:632
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs2⤵PID:2072
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4512
-
-
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd1⤵PID:3412
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:2520
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:4616
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd2⤵PID:3308
-
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd1⤵PID:3360
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GIkAQQAo.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""2⤵PID:3000
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:452
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:4544
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies registry key
PID:2284 -
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵PID:3408
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:3164
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EAYwwkoY.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""5⤵PID:424
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f5⤵PID:5044
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 25⤵PID:4688
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 15⤵PID:864
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"5⤵PID:4780
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"2⤵PID:5004
-
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd1⤵PID:632
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dScMokkk.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""2⤵PID:3160
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:4860
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:4680
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies registry key
PID:3504
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"2⤵PID:4444
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2764
-
-
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd1⤵PID:1168
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:2764
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:2040
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵PID:5084
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:4276
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:3412
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OeAgEIEM.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""2⤵PID:2292
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:3120
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
- Modifies registry key
PID:3540
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵PID:4524
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵PID:1796
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"2⤵PID:4700
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LiIUcwEM.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""3⤵PID:3368
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵
- UAC bypass
PID:3192
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵PID:740
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵PID:1616
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"3⤵PID:4380
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵PID:3272
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵PID:1652
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵PID:1692
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"3⤵PID:4032
-
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:2428
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\buIkYYkE.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""2⤵PID:4436
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:2144
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:1424
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵PID:744
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OYkIwwsk.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""3⤵PID:1100
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵PID:2688
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵PID:1912
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2916
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"3⤵PID:920
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"2⤵PID:3092
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:724
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PmkoogAM.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""2⤵PID:2284
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:2532
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:636
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵PID:4896
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"2⤵PID:2036
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵PID:4684
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2216
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\puwMwQAs.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""1⤵PID:1492
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵PID:2544
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵PID:4104
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵PID:4224
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"1⤵PID:3328
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vqQQooQc.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""2⤵PID:3332
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:4436
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3412
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:2148
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵PID:4384
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"2⤵PID:2904
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵PID:4224
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4700
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sOcccgIM.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""2⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:1068
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- UAC bypass
PID:1196
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
- Modifies visibility of file extensions in Explorer
PID:2552
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵PID:1608
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"2⤵PID:1004
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:5000
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd1⤵PID:724
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pUoscQUc.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""1⤵PID:4524
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
- Modifies visibility of file extensions in Explorer
PID:864
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵
- Modifies registry key
PID:1316
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵PID:1492
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵PID:4860
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
- Modifies visibility of file extensions in Explorer
PID:1464
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"1⤵PID:1628
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:224
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:3540
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:3580
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\puUMggwQ.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""2⤵PID:4048
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- UAC bypass
PID:4620
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:3076
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies registry key
PID:1176
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"2⤵PID:4708
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AmQgwIIY.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""1⤵PID:636
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵PID:4880
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵PID:1068
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵PID:2712
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"1⤵PID:4460
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LYQMUUAk.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""1⤵PID:1004
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵PID:2236
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs2⤵
- Checks whether UAC is enabled
- System policy modification
PID:2532
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵PID:3544
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵PID:1464
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd1⤵PID:1608
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3436
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"1⤵PID:4336
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:1188
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- UAC bypass
PID:1648
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd1⤵PID:364
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KuIYAkIk.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""1⤵PID:3204
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵
- Modifies registry key
PID:1492
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵PID:4280
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵
- Modifies registry key
PID:1420 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vwEkkkQE.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""2⤵PID:2960
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IMkEUIkM.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""3⤵PID:4452
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵PID:3520
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QqkoMcUM.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""4⤵
- Suspicious use of WriteProcessMemory
PID:740
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f4⤵
- UAC bypass
- Modifies registry key
PID:4616
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 24⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:5000
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 14⤵
- Modifies visibility of file extensions in Explorer
PID:1700
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3252
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵PID:1100
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵PID:1696
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:4436
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:2296
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
- Modifies visibility of file extensions in Explorer
PID:3504
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies registry key
PID:4400
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"1⤵PID:3076
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4596
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:1320
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\igYwEwAo.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""2⤵PID:944
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- UAC bypass
- Modifies registry key
PID:4444
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
- Modifies registry key
PID:4916
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:1512
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"2⤵PID:4164
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- UAC bypass
PID:4880
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd1⤵PID:2428
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd1⤵PID:3024
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:1328
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:2292
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JUkIEcwM.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""2⤵PID:4700
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:4164
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd3⤵PID:2136
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:1072
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵PID:1920
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies visibility of file extensions in Explorer
PID:4372
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"2⤵PID:4264
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:1304
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZQEUoQkI.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""1⤵PID:2380
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵PID:2008
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵PID:4548
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd2⤵PID:2256
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1380
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵
- Modifies registry key
PID:5000
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"1⤵PID:3740
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd2⤵PID:3616
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
- UAC bypass
PID:452
-
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5092
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Modifies visibility of file extensions in Explorer
PID:2712
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd1⤵PID:3496
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:1168
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yYsoIcgw.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""1⤵PID:4992
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:632
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵PID:5060
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵PID:3272
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:744
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"1⤵PID:2168
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:1516
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cQUksUoc.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""2⤵PID:228
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:3368
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HkcgEMcQ.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""3⤵PID:3696
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵
- UAC bypass
- Modifies registry key
PID:4380
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵PID:4780
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs4⤵PID:2612
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
- Modifies visibility of file extensions in Explorer
PID:4656
-
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:2428
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵PID:4132
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"3⤵PID:3412
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DaAUccgc.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""3⤵PID:4780
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd4⤵
- UAC bypass
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3520
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵PID:3740
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
- UAC bypass
PID:624
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵PID:1740
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵
- Modifies visibility of file extensions in Explorer
PID:2160
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"3⤵PID:1328
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:4400
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵PID:1556
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"2⤵PID:1628
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd3⤵PID:4316
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uGIowoYw.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""1⤵PID:3928
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵PID:4852
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵
- Modifies registry key
PID:4052
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵PID:4276
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"1⤵PID:3740
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:1188
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- UAC bypass
PID:2688 -
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd2⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:3548
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵
- UAC bypass
PID:4376
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵
- Modifies registry key
PID:1972
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵PID:4268
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3544
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"1⤵PID:4908
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IykAkgkM.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""2⤵PID:3736
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:1652
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4708
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
- UAC bypass
PID:1560
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies visibility of file extensions in Explorer
PID:3340
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"2⤵PID:1628
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MAgkEMkI.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""1⤵PID:2148
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵PID:1068
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:524
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵PID:1916
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd2⤵PID:4908
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵PID:2284
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"1⤵PID:2072
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
- Modifies visibility of file extensions in Explorer
PID:4224
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- UAC bypass
PID:3360
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TEIkMoEc.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""1⤵PID:3120
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵PID:4288
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵PID:3344
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵PID:2408
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jgAoQEEQ.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""1⤵PID:808
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵PID:3548
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FmIgMcYg.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""2⤵PID:2904
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3772
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hyYsMsQg.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""3⤵PID:2036
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵PID:3740
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵PID:3972
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵
- Modifies visibility of file extensions in Explorer
PID:4836
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"3⤵PID:4260
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:4780
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd3⤵PID:4684
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies registry key
PID:1100
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"2⤵PID:3200
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵PID:1816
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd2⤵
- UAC bypass
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2992
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵PID:640
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
- UAC bypass
PID:2544
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:216
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"1⤵PID:2228
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xugUMcwE.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""1⤵PID:1176
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵PID:4408
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵PID:4032
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵PID:4384
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"1⤵PID:4524
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd1⤵PID:4400
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:3636
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:3116
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZMcwAEIs.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""1⤵PID:3168
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵
- Modifies registry key
PID:3204
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵
- Modifies registry key
PID:1912
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵
- Modifies visibility of file extensions in Explorer
PID:3404
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\voMowoQo.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""1⤵PID:3344
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵
- Modifies registry key
PID:1304 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4548
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵PID:424
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵PID:2148
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵
- Modifies registry key
PID:2160
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:1956
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:2148
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:1992
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵PID:4132
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nEQQYAEc.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""2⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:2296
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:1696
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:4452
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies visibility of file extensions in Explorer
PID:4792
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"1⤵PID:1608
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
- Modifies visibility of file extensions in Explorer
PID:3932
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hoIkYAAQ.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""2⤵PID:4492
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:228
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd3⤵
- Suspicious behavior: EnumeratesProcesses
PID:224
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
- Modifies registry key
PID:1700
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies visibility of file extensions in Explorer
PID:2312
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CUsUEgIE.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""2⤵PID:1216
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- UAC bypass
PID:1652
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:3344
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵PID:2116
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"2⤵
- Suspicious use of WriteProcessMemory
PID:1816
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CaUQkAwE.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""1⤵PID:2168
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵PID:1512
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵PID:3304
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"1⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:4288
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:112
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:4240
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:3940
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dWcMAcMY.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""2⤵PID:2428
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:3168
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵PID:3500
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:2276
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:3672
-
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4448
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
- Modifies visibility of file extensions in Explorer
PID:4460
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵PID:1304
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1072
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"2⤵PID:4916
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Suspicious behavior: EnumeratesProcesses
PID:4784 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IcIUUcUc.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""2⤵PID:4504
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- UAC bypass
PID:2140
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:2348
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵PID:1652
-
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd1⤵PID:3940
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- UAC bypass
PID:3120
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:216
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rIwoMEUU.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""1⤵PID:4512
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵PID:2396
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵PID:4476
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Modifies registry key
PID:4268
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"1⤵PID:5060
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:2040
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eiUkMMUo.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""1⤵PID:4788
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:1580
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵
- Modifies registry key
PID:4940
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵PID:3932
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"1⤵PID:4620
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
- Modifies visibility of file extensions in Explorer
PID:4524
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\goAMwcks.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""1⤵PID:3704
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵PID:2380
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs2⤵PID:4388
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4688
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵
- Modifies registry key
PID:4316
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵PID:4436
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd1⤵PID:3124
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:364
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"1⤵PID:1664
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:5116
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GEAYYEIw.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""1⤵PID:2904
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵PID:624
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵PID:4308
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵
- Modifies visibility of file extensions in Explorer
PID:4400
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"1⤵PID:2336
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:4940
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FGYgYgcI.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""2⤵PID:1692
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- UAC bypass
PID:3280
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:3200
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵PID:2304
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"2⤵PID:884
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Modifies visibility of file extensions in Explorer
PID:1420
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:4164
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:5060
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iAEQocAQ.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:1556
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵PID:4984
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
- Modifies visibility of file extensions in Explorer
PID:1628
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵PID:2612
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵
- Modifies visibility of file extensions in Explorer
PID:244
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"1⤵PID:3252
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xAwksYgM.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""2⤵PID:2336
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- Modifies registry key
PID:4984
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
- Modifies registry key
PID:964
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies visibility of file extensions in Explorer
PID:640
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"2⤵PID:228
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lcUcUYMo.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""3⤵
- Modifies visibility of file extensions in Explorer
PID:5084
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵
- UAC bypass
- Modifies registry key
PID:1732
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵
- Modifies registry key
PID:3124
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵
- Modifies visibility of file extensions in Explorer
PID:392
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"3⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:1304
-
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:2372
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CkwQgoQw.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""1⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:2396
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵PID:1696
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4408
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵
- Modifies registry key
PID:4028
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4840
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd1⤵PID:3332
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"1⤵PID:3092
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:1912
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:4384
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Modifies visibility of file extensions in Explorer
PID:836
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd1⤵PID:320
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YmEAMAEo.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""2⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:2236
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- Modifies visibility of file extensions in Explorer
PID:1692
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"2⤵PID:4476
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- UAC bypass
PID:3204
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3328
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZKMQUkEw.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""1⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:3168
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵
- UAC bypass
- Modifies registry key
PID:3200
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵PID:2072
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵
- Modifies visibility of file extensions in Explorer
PID:1920
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2960
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd"1⤵PID:3844
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵
- Modifies visibility of file extensions in Explorer
PID:1608
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4132
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Modifies visibility of file extensions in Explorer
PID:4276
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1956
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hgYEIIgY.bat" "C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exe""1⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:2380
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵
- UAC bypass
PID:2340
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2284
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵
- Modifies visibility of file extensions in Explorer
PID:3500
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:1944
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:4220
-
C:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd.exeC:\Users\Admin\AppData\Local\Temp\17b33dcdde306525f9dd0bce6b1b88dd1⤵
- UAC bypass
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:228
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:4308
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:3736
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:4028
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Modifies visibility of file extensions in Explorer
PID:4684
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:2200
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:920
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵PID:1084
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
103KB
MD53215bed6de263fa4fc18409e6fe84f64
SHA18e8b90b6aa38c85d3e19a5e260e169624fc607bf
SHA256e681365880ccfc7b0e580c30da060280ccbc38ed5fbaea46d501436a34ea4bae
SHA512aa9043ede13f22bad1a71f1cf9b5e216486dc31a10ad36cfafb514fffb9e3b01d899cfe60b5b2c3ba8031b66abae6bc8cf15e0c340460c8b3b64a68f7a4815f3
-
Filesize
92KB
MD53470e4990d142a7bed931c163871c086
SHA1a314a5b021682f868fe8ab56ac2aba1737536756
SHA2562320d5e2bafe31da4a76b1ad608c0b9d5e50d3dc7679b7ce70832c7e6e59e81e
SHA51225df9719183bd3ee8675a15cc9a8a3dd6d1a5df61ef0278658ddc51698f673f71082c3e99bc8685d5e6f74aab819da41c6055ebcae2930237d28e7670aba15af
-
Filesize
1020KB
MD5ce8dd821b9ec8994c7234989b2bdd7d6
SHA1a61fb40056cf7c5b0283f1a70b87a19955170c35
SHA256bc7d7e5af8ab7770aa9a7c7c015e9a4e6d99a176c001c70b38d1550bcf5f39fa
SHA5129b0b704da00175092a6262039ae5863bc237c6bb324a6f433e02b45cb8c097bd2174b93c7c68d242db317434a8e1e244750564977187a0cedb8d2b405f384397
-
Filesize
883KB
MD55ce21ef77ccf11a0578836cd534c27f0
SHA1eee1c44b9648d41eb670375118568e4ba6e3ad95
SHA256eda04c62b6a420b9b022b9443bd109ccb90073316a2151ba37f78f639ff1d57a
SHA512646051121d9674b3eaad3af2dab2f6a3d3403e34f48321e48dbc66e09216804c60eeb9e82eb26f447e75a9a64cb12748cab5212aed304082144805256fc3dcdf
-
Filesize
433KB
MD5fd6ec0734ee03abd977d672adcdf0b58
SHA15fcaf18328aa4df55886a396d8220f5f4560b53a
SHA25652348950ba51631dbda69eee47b3a726c9c976813d93d7d2371c87547553f579
SHA5129fb0c4de5be45d37b5c460b3aba8f5551f2d3de82e64a796c4438e64164f6b9e5f97599a1937d6ceaf683cb66b21132da8219222f1a9f7d58e9ea5049acb866c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\icon_128.png.exe
Filesize434KB
MD537990e1a67beb4ecdba1cb73f5e0bdc9
SHA19adde0f10636ffa4694a17dbc24b94db67d2f349
SHA2565385fa0d8453490368c487543a20a0e891d713189ff4ce047db326034a3879da
SHA512af9d8a025536649553676188ba8dcde9364037d8ed78144bbf367f71d90c4aa2dddf0d1203fc6439394dfc5c91a29b25f4f13a1cae14f1f3e25374ca477f4ab8
-
Filesize
811KB
MD551526b49525cf54c28af1a0bddcca97d
SHA109f6d5cdf9cd6fd159f45b96e9d1b4d05440ef32
SHA256d583055a47b6881d0d037e2bccec8c7501286eadd670a5d1c097fcc3c35f0e54
SHA51242b8e91b425cf294ee8e9b5d458b682527624086ecb6fbb46c69dc184129b6d176e7ae1ada75676b86e78e1190498fe19daf66a6ec125db7c94742ed1853adc4
-
Filesize
48KB
MD56f90adcbf8a3254558fe0aa75e416573
SHA15e5baaa632e90d78297f3c5edb9c592f15c53d4d
SHA256e69f8ed2ba8b1bf7bccd65052fb89719e1ff5178cf82b95fd302a3ae950811bb
SHA5120d9b51f0514f7476179f7b57c231fb40aabb79c747f164852130ee35c1b8caa30a2f6d888e4530fe6e22a4098ccc04301890c1da70ef7a0b2d44d681b370564d
-
Filesize
437KB
MD5ea770126ca7d49360e43205caf5bbe3d
SHA17466f093192fb263c7a86da5d90e885360e8ac90
SHA256fc631a42bf9a3526b583365aa9b9f235413b465c4157c9b7b92d98530098fdd8
SHA512937e4fb6968574087a7b9c7ef60413feb882aa0d56bfe9c1978f140cc98653047cf3936738e01df45a1c4cb6792d2932cfcc8def3711631ad9ff161add87fa9f
-
Filesize
560KB
MD548f08a110b85b5b9193ae8578251c372
SHA1bbff29edab9c120fc3b5a79d8ea7b3f1d9940cff
SHA2563e3c1d51d84eb655a97a39973c8dffe301cf15dafa3f6fbaee340b8cd0f3ac84
SHA51275b47ed3b7e41ddac1798e4fad11ebbb4fe982466afd5d51bdf1f3826b353bba9574c998c3fdb94fbe7a3b8074613ae7d7c5cc0d35250791f12b6acc0fbc8137
-
Filesize
438KB
MD5f4777e7fe2f450c00ce19c01e15443fe
SHA164804395b5a5420d589590fc689634d959e9dadc
SHA2567dccefb7afdfdc99837d7312894050b86e9c3e953a5279a22d9b5f3528d4f70f
SHA512bdeb1581a570055d5a6924ac0b76869e6aec7d92516bb67bdd9305cce9dfc00ee8f0d9c5255846770d7c103ccd12c475ec76a7f57df8c5157234501c75960892
-
Filesize
435KB
MD52065f9a6c62cc9bbaf542996dac2d209
SHA1f880df3090dac7385c5edaf031ec30eb174c9c52
SHA25609dcc8a0c0a769fafed6a19560ed4bc6762f1b824043adef76d03515d25ed9da
SHA512dcbfa26a8b6db3804c7c0e459206729aaad5a7357a1850acc9c27d9ec8a40b8f3be0cbba6967a306f6d8c3ddb4a6730c33825b007bfd4c66fb83e61777dfc870
-
Filesize
5.5MB
MD5ea3f1d2c9a0394fa8122ff14cc033f60
SHA145abea7799315cc613268d8abeb6af25a122881c
SHA2569359946dead86bd90b07ee5c4d1643d0b999793be7270dee723fa1a23a24eb99
SHA5128cdd5a6c6d0846053db24312fbb3291bacf25193fdbf55cb06cb7dc52ecf420dfb2828b3b73905bbcefec195a2a1da9887e8af53dd4559e1de7d5d32a7165555
-
Filesize
435KB
MD59d75562c0225bde8a1140b20eff924ee
SHA17d61bd158abddfb90bbf2051d583427dda764f2e
SHA2567339e24991285828654d3ed4b16adf213b78611b48cba684d20adf943ea2fad0
SHA5122e9b68954fa22473f4ae96e21739f19554b635b24435a6ceed93a7c6da900b0707c6277b75ffac61ce358fffd7551cf4abbcfc5e624203484b73ac806292f33d
-
Filesize
441KB
MD523b6acf73ef5a4da81ea83ecf7f8d86d
SHA1daabf873c4d2ba87fbc0620b4c295a9bfdbe0815
SHA2567187eb7e268d3f0c44bcf915d6310452545e57ec69446e36009028983081d629
SHA5122c20ee3178f7663013964ae994b478fb67548e30d55441c73278cb912a3ab4dc0da3c5121a354e510b988d7feab8bd982845fdf73cf4c747311943b1383de52c
-
Filesize
470KB
MD58bec6c85711579216d00d4656ad6c660
SHA143afeb81d424d1a7562608ae6882086039d9e00c
SHA25633e5338853cfe67800788264849a9f25ef62f92b10c9fb71e0046f49de13359a
SHA5128e3b552ccf0177f422ac462b3e964f47e1a182a94aafc4d5bdfee195612289fa810adf4ca1e5cb994695c218ae1cf512266e2cf3b911809124cd2dca87887a96
-
Filesize
438KB
MD5dd16fd1a30cb69e7851850ef0cf41108
SHA186f5fb4daa4b541af8c3c28d053a5474ef49e11c
SHA256361733330d686e024b69d132aab589a64faf4827b772a800cc42315dfbb9e80e
SHA512fb477f269d1d121a28a4eb9638b67b9f2a36893386ed67de89165523bcb53dc8de39bcd0f5146c1525c18cd462407b5e540fd5f3c263a2a837fcfff4865ab017
-
Filesize
435KB
MD526e88f2f26e053e6a481a75c50771eaa
SHA12c4d029330be1c4a72c85e46c3c746082cce1d6e
SHA256e54d83c7592ba7782c962dec0ef0665003e6c3786a6c9c0cbb0f1b92d6de9788
SHA5123b3e3932084b1a850a859a8ce4e1e330ac69a7bab6c7a8c9de3db1007bd586d6b8cbec83f4b6139e0c02162beada2dc3348e0492a5ce5d1d09d729eeb002617c
-
Filesize
436KB
MD56698fd217f8cfe3f5543da64322cbb2e
SHA1782ebc3bd92293d9ca3b0f33a0af67b9e963d944
SHA25614656c3fa5c8a6198c44cb19929affeb004c617d1c25527312698aeccb77efda
SHA512f81512673faf40579dbcf6181c51b7c7d3ac2e04b1e089dbe60d14f6f400f8d0ea4328c3105ca9e2d54c01e5a7c08017e062034d9d2709adeeed6f876b71fbca
-
Filesize
890KB
MD53e6b878b6ccabef920084c20275ef29b
SHA155c3786c8b02d3e1285606e311ff8b6ca683621b
SHA25607008e02c852f26360988f9bc483f3e211ae67bc22c576cc898f23a1a076ad1a
SHA5129a1ff5cac3bff5235cff544c4a15716ac458f0fe4a77572677452958fbf12bd0c3b347c6f758975f7e7ad8d68727aa3d2d7028528b7a5f9f98fd1bb5ec5d1e5b
-
Filesize
1.0MB
MD545c887e5f36820621021a35736e97572
SHA1813ea4a463f129dd135ef3610d8d00c8dfe55341
SHA256af3bcdeb21e0a24173277249d645f2c9707d9d5d335c59dee3fdafd5aae00e14
SHA5128e63b6734de2e612f429915454726840bba0ac45d72c90b2049d1f126ede65dc43a8a73bd1787851e6f44eedc6664074e440da001cb8118e6edee795f9e1c890
-
Filesize
443KB
MD5e590a74526830a10d8cef4e5b343f24e
SHA16e7a4bdd0b0d0e49d50e82d05f328fa23dce2aa7
SHA256c983f8e8c48a015ef26b2f9bd82c42749b9e7dbe1f39ec6f5476f4648fed2004
SHA512e4246029335ee50cdc72ea41d227c34d66105fa68d1d516aaff1ae32126ffb7b86d533f7ed19ed8edaaa29803902571bfee5fe1f882b3336727a0e161bd2d79f
-
Filesize
434KB
MD5b6ef99d435f15ab4c336fc324fa8c9d9
SHA18824667d0cf301761f8b70bd80a9c2775503b844
SHA2563c4aa90f89380b88ece3389abaeeb0959025b4f918f1370f92d0a32d789d9974
SHA512f7529c28f0c93b875974b877a8d5aeeff4c403bfe6c0607451ab21f8d8f540bc5ed0c8032100ffa38db2a8d055578a9b44907ae62af3049075a53724e6269592
-
Filesize
436KB
MD55ef58682d78a651ebd0a82dc738b39e4
SHA1277e69f5b5959ea1d5e89a8d9e3167d64ece990c
SHA2564f7f5bd66e734ecf5d493e109e2a34082375e98ec2769079cdf38485223a9528
SHA512aab7d8f89895ea6733cb3548fed43025ebef00990adb1d1b3fee032c0bed351cd7672138ad469b946db916d1717914052c938b2397692c6de673d58194e2c681
-
Filesize
606KB
MD5578f255685d5475d2a117f0bdaf019da
SHA1c869bfa6c408c25810aabd09650594ff2e5eb841
SHA256a94b848134c97d3e11d0a36888b8aed04a7426bcedc8b88c35561d5336c0f8e1
SHA51236a1b676ff83c91af343ac4269a2ba80bed3bd117cca97d3e6df1d232a606805dba60a0bc8b5e2e549d57eb96a252bf6fe45b520825d18bf65007f3ecdaeb64a
-
Filesize
529KB
MD51d909e0fd64652931e8e4bf3eebfd49f
SHA13291e1bd159e46e320904e4b2347d9c295274508
SHA256675cca5d90ec30bfa5071764864e594e80dd354dba3641ca7c9b3a49fe0fe106
SHA5121d6995f050af293f6b407bd4ef3b6ac23ec1b613501b63d15d9be84e53798307c7d2529a5cd0bd3ef0beaa7a823b531b67f745ce5702056cf7b92723abbc2015
-
Filesize
4KB
MD5f31b7f660ecbc5e170657187cedd7942
SHA142f5efe966968c2b1f92fadd7c85863956014fb4
SHA256684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6
SHA51262787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462
-
Filesize
447KB
MD537e7c627ef170955f838f1a2968c8992
SHA1f21744ceeaab90c970d16a0cca4d9e435ea57a8f
SHA256792f8542bee7572d5e3b72843e2c2521b3217095135c649afa69e80aa2ed0008
SHA5129be4e6415a137979db007b43f668d4670e51e3aa16af1a70809d8174ab7c22a80800a2a995b97bb9bb65eb31f51521297e7703e3d0fc8d85770f8828add9788f
-
Filesize
502KB
MD5e0324ea7de3de8ae0129cb2f7e32d950
SHA1683379db11431652b67178a97e4eda96fda87dda
SHA256d0a750a6f8f03c7aa0f269ee73edc85d98c6a2209bd3baa8bbff15439c8c2087
SHA512400ebf98ba46e558c732b787fce3ece87e9f63fddd6a2e8a6b0c8770003b71c9d27e232a792058d47a8de30d9b67525c00f1c0ea4d2a83a64da186a4262aa6f1
-
Filesize
509KB
MD558bc0120358f3509d266c45e8250857e
SHA11be2114e589437558ac1aa109ad6cf5deb3ef414
SHA25694f24340dada19f8f9f6de161d05ebc109be7cc3911647a15993a124baf729dc
SHA5121ac70abf9218030d7302d06f61e1d104dbd75cde5f6c785ed8112dd7fe0fc81cd2cf0d3f2727a365bcf91c79637f85f32853c900f7fbf67b8a675bb78737a967
-
Filesize
6.1MB
MD58452c5969cd978fef0d1a59b1dd3049d
SHA1cf83c01dfadd404f55b45fbbc37bdbb3013993fb
SHA2566bd3fec65b938d3d214e0339942ec9b715d3194b582b982efa68643798967031
SHA512202d7b7f1b739aedcba8ec777b0940b1db2d366781386c66104f22c8af21264a87b038408b36c8434b4788e2e017248edd264f43a07def56e60513290a2447a3
-
Filesize
112B
MD5bae1095f340720d965898063fede1273
SHA1455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA5124e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024
-
Filesize
437KB
MD585f94688b4ee12f0a72a57afadb2902c
SHA1c31cd2a431452db9c57871a5f8f7aeb758b79918
SHA256e25aed80f726c2ad11407e127ac0b80ef57a7e3806ef2752248966fcb1b99d5e
SHA5125af68d9a7a94fbbd88b1a42228b25b8864f270658f5a49555ad9023c386b4380e0e0a3cf0ff2eff09e5745fa2f815e2a5eb7975ba3150e76122cdd202e466f0e
-
Filesize
1.0MB
MD53ab942f3a37ccba180193acb6b4af22a
SHA18574751395af40c2ed9f494d0ca5176aeffcb686
SHA25605bdf1acf8b6c3a1905e181bbbf0a6c80d76cd2618b9f5d0e3dbfa2d82ad37b2
SHA512070b66fe2d24c596444790cd0617d3eaa50e435c7cd1d6cb8f8cda20fbcbee8d623417ad4682b6f02436d542caafd63c6dcbdf24aa99f08b6142b5d3ffb6db9d
-
Filesize
557KB
MD5cfb43cfe3c99db06ce1effc2d0cd69b7
SHA18326d91a7b87903886f994144ea179c37db8c143
SHA256360834a541d635fec00045dd6befc4a809ed079165d9b03a23a460c87b384d3e
SHA512c9de96931d9e371f5c5b070a7728c41bf9944e17a396eca2c478e6894729e7d41e29735c409cb926b607d30d021de68995aa57b0b86e9ea88a464fea3ea4bd20
-
Filesize
442KB
MD5a8cbffad4fd7e5c3f0b1097433f4851a
SHA14ea6f3537932e85821c5008d8663c1384a3f09c9
SHA256aeb48457424b61aab45e84864fbb6cc216da2971cee943c5db58275d07787274
SHA512c6612d72cc9b4c556f1f42390fe5567fec8f92da8d24fb9f7194fe295a67bc3858a5e282933433d57359aa9eef5562fd40d4faed7ea1c432cbc37450c74672da
-
Filesize
474KB
MD52669d64a35873102efa67bdcdcccc825
SHA161618b06b805016d9c633a55171257408e7ee89a
SHA256437e62eebb751c0b9ed207fe4d8bc85fbe635236c9252a07d2aece4c58edf017
SHA5123763703d7ba23d41354ce684cb1136c1ea0bef6f61fa024218839fe51a0d0733098f5aee72fc57cf48fdbcbd31ba6069e49768daa3ac3ec085758f7b6309a5bf
-
Filesize
19B
MD54afb5c4527091738faf9cd4addf9d34e
SHA1170ba9d866894c1b109b62649b1893eb90350459
SHA25659d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA51216d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5
-
Filesize
618KB
MD5c12ade8adab83ee12fbfb150023ea3ca
SHA18755b1d7aa4e33c5ab574da5a469b3ca5aca87c5
SHA25680d6a931f763b86f1b3aa7b5c9003a5545673c2e990ae10d692c8310c47c5e0d
SHA5126ef2042171a5d3a9a957dcd17b5e2ce60efb3c50749370a731de695a0755664f80d64d0a2cc7d72ab47400c1946db0baf57524d4c0bc0916b03da363b1cbfc09
-
Filesize
537KB
MD5bb49b3354f827d61143c84f42afb49d5
SHA1f8c170e78356b16d64fb093360660b50d011adc7
SHA25685c5ffa2590e54c2b7165d6de0eb904bfff5b11a1fe465a6382115a888538f7a
SHA51244c214dcc29d7103a5f87bda4b1eb2dea43e38c1c8d740537caee2fbb62d8f8ba01ab02a1d0c6ee5ebb07ef2fccc852cfd6ca226b2176c0b2192da7ab03170e7
-
Filesize
444KB
MD5bf51a91a43d8e1aa6f16f9abe75731aa
SHA16cc4f410e44e16cf7a946854c5fa678f1047c211
SHA25694d83d0862f28ce996b4bb8facd981c3479891b9e7d3d0621f6870c6e8302651
SHA5128249d3c70fb66c4c5282cb1449bfc5fd97d58dff655044f3a317dbd9c53114745d998677db212c38f7c88f2125b0bb25abdb72a3afcc7eee29342eff8b347b80
-
Filesize
435KB
MD5de8cdea5ed421161abd20702159a408d
SHA1264eb347501cfaf6f808da0d14428e383813d0d6
SHA2561325af618740faef4793b5f0337ebee898771854bb1e1b2a8897bbc19ab830ab
SHA5125df39ca152bf3be9cf3163f076b5a1ee75f3715b71a4fdbfd40a67c6c5ae9a1d478e63b147735eecf03bde61e77c34b287e09ff5483d069002de2e64e1ee41d9
-
Filesize
442KB
MD5fd9ee228781c5655379cec54de7fdfcc
SHA16fa15fccef607bd22e051ca2ea87e654d62f21a0
SHA256585cffe1f4d563abf7246b0829b42fc1eebfc73646d64eb1e8b8f224a08d6253
SHA512d05017d040ef9572db280d7401db96ee79a5dd7373f063e6ed83c6b601965c078b8031938538f9eaf8d0ec7536ddbe8350308ec0266160f7a9c120c2a00b43ee
-
Filesize
673KB
MD5726c3cb2e6fa36396049eaf228590f8d
SHA13ed5a46d72723921a8908e28dfabe0e1d507f110
SHA25618c80e525ad4b61bf67180d45ed21d10ee6a908358d2ec7cda759f000b6f8fb6
SHA512cc718c9d27de81a49654958db24fb7ee2aa6a4e9bb8931b18551de962a3c067dd02dec7463bb798f1eb0827ebb90147113b43f99ac42b8a984491f1b3ccc1f57
-
Filesize
439KB
MD55c9e3235e50d9bfc9c1e7d9cdb88671e
SHA1824cbfd4465b2d8ec0b8b4ae7a563d4dcb8050c0
SHA256cb902a88532cf409f1c14876a7ab69289537e7895411eeeda5375da196d155db
SHA5120f356749c47c1265f34fd4417fa5838a849ba06a46906087a3cbf8eb08622391887ae25cd7001eb66ef675db1175ec36c20d32fa56e19539f7e8a371cd78944d
-
Filesize
456KB
MD50165e26bed92551aabc52b293c4a9576
SHA1c5abe68b9b9947f3f65782bb29943484eae8d2d3
SHA256a9b8de4e606593b28e8af30b5c3c219c93b53f1c7e280d0682b6d81ec16df408
SHA512f0c3904be6e457a00ed5943d0436cd4a6129e8a385e48d79a2f447567c878dd98a0b0e6aecedc5b6210b3a31fce2c26eefb163d4703dc91fced6849979439928
-
Filesize
4KB
MD5ac4b56cc5c5e71c3bb226181418fd891
SHA1e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998
-
Filesize
1.0MB
MD588e75bdaf2569e3f565adf5876609fc7
SHA10c3649845d5a8d69a5b279e66a26155a2e4b49ae
SHA2561f5e6a2c3b93d29be5f8e656de1bc65d8eb4931483397d0021ba01154e360b6e
SHA51273ca289924fc4449277bd565a614460fd42e1d83515a24018e434ab4963a48593b33e547b038ea58743a4181450961c369e01ad952b96dbb92c76e3a40f7fc1b
-
Filesize
880KB
MD50ffe7b76bcbe37d5b54c3a0a9eb3d52a
SHA1d0a628218e53c80d8b36450a0330943736a6131c
SHA256fb5e8c85c6a8078fd92b5695b57eab1e17c37ba40a98ac81eab61187c8b6354e
SHA512acc558b07ca5eabb32b27eaa8753eee8f3c0f91d710075be41185ca144e7fd6e0fddbf5f35187386d24871ba923f0426cd9539e5ab7e255e23f1086c307c04a7
-
Filesize
436KB
MD55b01527d2c062d266e40f3a0f4734741
SHA1cd46d2474cce72631e6e0c46715dfe34d0872ba1
SHA256f2e7ec93cd0ba41ad55364e15bd1975f840f11fbc955ee5f5413d589a717e666
SHA512bdfd543cbd1351f19f52a6ea46135b81ce9f2ded8066fdea782f160f99be003f048cc6e6fde43c238227615f8ef6c3460b14281454ffe27aff18145d662d7549
-
Filesize
1020KB
MD5349704e4b79b48554e438f7666b08c18
SHA107e7375bdbfecbfc0ac1a5257ab9184d7d4f1391
SHA256a0f4692702b0a7a79613d02f5d30aa2861df498076f91ff8908cd06c75da1b8a
SHA512876e62f424b081a5f464cd65d9642f8c851be2c30d368dd0dad0376ba0155a14306a72bf8360395a6130746289a351616be93680586fed0f73f2fc2ff497b957
-
Filesize
444KB
MD5f988acfc30c7b25c8b7dc490c3001c55
SHA19f1f3bebcbba7b78b7d873e6292d16f790298716
SHA256d420546e03c8f4dfa0079fc21c70e7af0e30da3e00b37953469a88763701aea5
SHA5121c29cc984ef66376eaec2aa5ad02df2311ddc1adf00824e157b7e310505db8ae4baa99a5e1797a89ef204c1cb33fca7485b723fb47e1132ec436d8ac535db93e
-
Filesize
440KB
MD5a2a06c120724aa87773e18d05f33864f
SHA1f6dec3b7627dd613dadf25532c48c301770f89fb
SHA2561b7d8db2883dbfb61c038c5ead8f1e99d96cb5a12dbf349d4127f62a4ab6647d
SHA5122b7f2475d201ac17616dd3c7cd23bb114f8dfb9b67c47b6736f8325c77691d8adbd6e353e1870eb3bddba71f6c7e079078ad7e023907b0d3ac486d9b1b0cf6b2
-
Filesize
436KB
MD5585610186622797f2faa675425b11b8d
SHA1914b891546aa38d39440843d2874b51fadeb9d11
SHA256064c59d8cffdd55f81eab360ee1d49dfbc8465dce477dcc873dbc4694345e7ed
SHA5125f01e31abd3a46b2dec0bcf5103aa39cb539bb13615fc3fb11c77f38ad78c07d02a3b0d1055a7e3720ab5f8e0ad5aa4711254bf627651bd641f9a843fdbcd044
-
Filesize
4KB
MD5ee421bd295eb1a0d8c54f8586ccb18fa
SHA1bc06850f3112289fce374241f7e9aff0a70ecb2f
SHA25657e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563
SHA512dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897
-
Filesize
435KB
MD5d3c478cb3810f042c3b96426bb611166
SHA11290fddd2aba92553a349234b964f19f1f5cba65
SHA2566030592ce55724b8ce9532babb2d9cd7c8f4174c794872906c59d8d8d76913c5
SHA512f2b8b1423f6915b801938751e6e4d786085553df511159bfcee04eef43c4ce766312eb088882fc723fcbfa5399a607140c78298034f5dc04c485657c82d2f2ed