Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
138s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
28/12/2023, 22:12
Static task
static1
Behavioral task
behavioral1
Sample
fbeaea693a1a5948798b7cac0d3c862c.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
fbeaea693a1a5948798b7cac0d3c862c.exe
Resource
win10v2004-20231222-en
General
-
Target
fbeaea693a1a5948798b7cac0d3c862c.exe
-
Size
484KB
-
MD5
fbeaea693a1a5948798b7cac0d3c862c
-
SHA1
67c144a97131a70ae576b92213688ff5b83f8961
-
SHA256
47a29d2d6211e35ee3c7f0ae9c805b3d2633ae0c1e8f56ef17068bf307c21e56
-
SHA512
5af865d18b0ac9caf4d35f703daad21333599ffdda5c6d9c36c29294b4bc34a2c16db9b5cd6e9fbe68f1f6824f2567b30a49c6d91a6e563ac1b34efe94a2e793
-
SSDEEP
12288:8j4x6uqm//2PIJcXvULz4vPFpDI8Bk4/ETeFcPeUFH:8IX//2+cXvoz4vPFpDI8Bi0cPfFH
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" fbeaea693a1a5948798b7cac0d3c862c.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cmd.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cscript.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cscript.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backgroundTaskHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cmd.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cmd.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cmd.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cmd.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fbeaea693a1a5948798b7cac0d3c862c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fbeaea693a1a5948798b7cac0d3c862c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fbeaea693a1a5948798b7cac0d3c862c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe -
Renames multiple (53) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation zqYsckAg.exe -
Executes dropped EXE 3 IoCs
pid Process 4416 asogEYIc.exe 5104 zqYsckAg.exe 1448 ZiUgoYQo.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\asogEYIc.exe = "C:\\Users\\Admin\\yOckgIsU\\asogEYIc.exe" fbeaea693a1a5948798b7cac0d3c862c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zqYsckAg.exe = "C:\\ProgramData\\ksEccIwQ\\zqYsckAg.exe" fbeaea693a1a5948798b7cac0d3c862c.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\asogEYIc.exe = "C:\\Users\\Admin\\yOckgIsU\\asogEYIc.exe" asogEYIc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zqYsckAg.exe = "C:\\ProgramData\\ksEccIwQ\\zqYsckAg.exe" zqYsckAg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zqYsckAg.exe = "C:\\ProgramData\\ksEccIwQ\\zqYsckAg.exe" ZiUgoYQo.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cscript.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fbeaea693a1a5948798b7cac0d3c862c.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fbeaea693a1a5948798b7cac0d3c862c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cscript.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fbeaea693a1a5948798b7cac0d3c862c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fbeaea693a1a5948798b7cac0d3c862c.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fbeaea693a1a5948798b7cac0d3c862c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fbeaea693a1a5948798b7cac0d3c862c.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\sheRegisterInstall.gif zqYsckAg.exe File opened for modification C:\Windows\SysWOW64\sheResolveConvertFrom.mp3 zqYsckAg.exe File opened for modification C:\Windows\SysWOW64\sheSyncSwitch.docx zqYsckAg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\yOckgIsU ZiUgoYQo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\yOckgIsU\asogEYIc ZiUgoYQo.exe File created C:\Windows\SysWOW64\shell32.dll.exe zqYsckAg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 64 IoCs
pid Process 3320 reg.exe 4612 reg.exe 3652 reg.exe 4916 reg.exe 4884 reg.exe 3996 reg.exe 3844 reg.exe 1608 reg.exe 2900 reg.exe 3224 reg.exe 1684 reg.exe 4212 reg.exe 2460 reg.exe 4928 reg.exe 1248 reg.exe 1928 reg.exe 4536 reg.exe 316 reg.exe 4388 reg.exe 1088 reg.exe 4016 reg.exe 940 reg.exe 1892 reg.exe 1772 reg.exe 3188 reg.exe 2400 reg.exe 1824 reg.exe 5068 reg.exe 2948 reg.exe 876 reg.exe 4940 reg.exe 3568 reg.exe 2556 reg.exe 4924 reg.exe 2856 reg.exe 3804 reg.exe 2972 reg.exe 4680 reg.exe 4704 reg.exe 1800 reg.exe 2224 reg.exe 2996 reg.exe 4052 reg.exe 3116 reg.exe 4484 reg.exe 4680 reg.exe 3660 reg.exe 2152 reg.exe 2624 reg.exe 4336 reg.exe 3188 reg.exe 3376 reg.exe 4412 reg.exe 1088 reg.exe 372 reg.exe 2000 reg.exe 1172 reg.exe 2880 reg.exe 756 reg.exe 1264 reg.exe 3048 reg.exe 1876 reg.exe 4940 reg.exe 2316 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4428 fbeaea693a1a5948798b7cac0d3c862c.exe 4428 fbeaea693a1a5948798b7cac0d3c862c.exe 4428 fbeaea693a1a5948798b7cac0d3c862c.exe 4428 fbeaea693a1a5948798b7cac0d3c862c.exe 4704 fbeaea693a1a5948798b7cac0d3c862c.exe 4704 fbeaea693a1a5948798b7cac0d3c862c.exe 4704 fbeaea693a1a5948798b7cac0d3c862c.exe 4704 fbeaea693a1a5948798b7cac0d3c862c.exe 4940 fbeaea693a1a5948798b7cac0d3c862c.exe 4940 fbeaea693a1a5948798b7cac0d3c862c.exe 4940 fbeaea693a1a5948798b7cac0d3c862c.exe 4940 fbeaea693a1a5948798b7cac0d3c862c.exe 1892 Conhost.exe 1892 Conhost.exe 1892 Conhost.exe 1892 Conhost.exe 1372 cmd.exe 1372 cmd.exe 1372 cmd.exe 1372 cmd.exe 4712 fbeaea693a1a5948798b7cac0d3c862c.exe 4712 fbeaea693a1a5948798b7cac0d3c862c.exe 4712 fbeaea693a1a5948798b7cac0d3c862c.exe 4712 fbeaea693a1a5948798b7cac0d3c862c.exe 4704 fbeaea693a1a5948798b7cac0d3c862c.exe 4704 fbeaea693a1a5948798b7cac0d3c862c.exe 4704 fbeaea693a1a5948798b7cac0d3c862c.exe 4704 fbeaea693a1a5948798b7cac0d3c862c.exe 2376 Conhost.exe 2376 Conhost.exe 2376 Conhost.exe 2376 Conhost.exe 4776 fbeaea693a1a5948798b7cac0d3c862c.exe 4776 fbeaea693a1a5948798b7cac0d3c862c.exe 4776 fbeaea693a1a5948798b7cac0d3c862c.exe 4776 fbeaea693a1a5948798b7cac0d3c862c.exe 2836 Conhost.exe 2836 Conhost.exe 2836 Conhost.exe 2836 Conhost.exe 1248 fbeaea693a1a5948798b7cac0d3c862c.exe 1248 fbeaea693a1a5948798b7cac0d3c862c.exe 1248 fbeaea693a1a5948798b7cac0d3c862c.exe 1248 fbeaea693a1a5948798b7cac0d3c862c.exe 396 reg.exe 396 reg.exe 396 reg.exe 396 reg.exe 2636 Conhost.exe 2636 Conhost.exe 2636 Conhost.exe 2636 Conhost.exe 1816 reg.exe 1816 reg.exe 1816 reg.exe 1816 reg.exe 1800 reg.exe 1800 reg.exe 1800 reg.exe 1800 reg.exe 1244 reg.exe 1244 reg.exe 1244 reg.exe 1244 reg.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 5104 zqYsckAg.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 5104 zqYsckAg.exe 5104 zqYsckAg.exe 5104 zqYsckAg.exe 5104 zqYsckAg.exe 5104 zqYsckAg.exe 5104 zqYsckAg.exe 5104 zqYsckAg.exe 5104 zqYsckAg.exe 5104 zqYsckAg.exe 5104 zqYsckAg.exe 5104 zqYsckAg.exe 5104 zqYsckAg.exe 5104 zqYsckAg.exe 5104 zqYsckAg.exe 5104 zqYsckAg.exe 5104 zqYsckAg.exe 5104 zqYsckAg.exe 5104 zqYsckAg.exe 5104 zqYsckAg.exe 5104 zqYsckAg.exe 5104 zqYsckAg.exe 5104 zqYsckAg.exe 5104 zqYsckAg.exe 5104 zqYsckAg.exe 5104 zqYsckAg.exe 5104 zqYsckAg.exe 5104 zqYsckAg.exe 5104 zqYsckAg.exe 5104 zqYsckAg.exe 5104 zqYsckAg.exe 5104 zqYsckAg.exe 5104 zqYsckAg.exe 5104 zqYsckAg.exe 5104 zqYsckAg.exe 5104 zqYsckAg.exe 5104 zqYsckAg.exe 5104 zqYsckAg.exe 5104 zqYsckAg.exe 5104 zqYsckAg.exe 5104 zqYsckAg.exe 5104 zqYsckAg.exe 5104 zqYsckAg.exe 5104 zqYsckAg.exe 5104 zqYsckAg.exe 5104 zqYsckAg.exe 5104 zqYsckAg.exe 5104 zqYsckAg.exe 5104 zqYsckAg.exe 5104 zqYsckAg.exe 5104 zqYsckAg.exe 5104 zqYsckAg.exe 5104 zqYsckAg.exe 5104 zqYsckAg.exe 5104 zqYsckAg.exe 5104 zqYsckAg.exe 5104 zqYsckAg.exe 5104 zqYsckAg.exe 5104 zqYsckAg.exe 5104 zqYsckAg.exe 5104 zqYsckAg.exe 5104 zqYsckAg.exe 5104 zqYsckAg.exe 5104 zqYsckAg.exe 5104 zqYsckAg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4428 wrote to memory of 4416 4428 fbeaea693a1a5948798b7cac0d3c862c.exe 1210 PID 4428 wrote to memory of 4416 4428 fbeaea693a1a5948798b7cac0d3c862c.exe 1210 PID 4428 wrote to memory of 4416 4428 fbeaea693a1a5948798b7cac0d3c862c.exe 1210 PID 4428 wrote to memory of 5104 4428 fbeaea693a1a5948798b7cac0d3c862c.exe 88 PID 4428 wrote to memory of 5104 4428 fbeaea693a1a5948798b7cac0d3c862c.exe 88 PID 4428 wrote to memory of 5104 4428 fbeaea693a1a5948798b7cac0d3c862c.exe 88 PID 4428 wrote to memory of 5032 4428 fbeaea693a1a5948798b7cac0d3c862c.exe 1208 PID 4428 wrote to memory of 5032 4428 fbeaea693a1a5948798b7cac0d3c862c.exe 1208 PID 4428 wrote to memory of 5032 4428 fbeaea693a1a5948798b7cac0d3c862c.exe 1208 PID 5032 wrote to memory of 4704 5032 cmd.exe 1207 PID 5032 wrote to memory of 4704 5032 cmd.exe 1207 PID 5032 wrote to memory of 4704 5032 cmd.exe 1207 PID 4428 wrote to memory of 5068 4428 fbeaea693a1a5948798b7cac0d3c862c.exe 1206 PID 4428 wrote to memory of 5068 4428 fbeaea693a1a5948798b7cac0d3c862c.exe 1206 PID 4428 wrote to memory of 5068 4428 fbeaea693a1a5948798b7cac0d3c862c.exe 1206 PID 4428 wrote to memory of 3896 4428 fbeaea693a1a5948798b7cac0d3c862c.exe 1205 PID 4428 wrote to memory of 3896 4428 fbeaea693a1a5948798b7cac0d3c862c.exe 1205 PID 4428 wrote to memory of 3896 4428 fbeaea693a1a5948798b7cac0d3c862c.exe 1205 PID 4428 wrote to memory of 316 4428 fbeaea693a1a5948798b7cac0d3c862c.exe 1127 PID 4428 wrote to memory of 316 4428 fbeaea693a1a5948798b7cac0d3c862c.exe 1127 PID 4428 wrote to memory of 316 4428 fbeaea693a1a5948798b7cac0d3c862c.exe 1127 PID 4704 wrote to memory of 2920 4704 fbeaea693a1a5948798b7cac0d3c862c.exe 1204 PID 4704 wrote to memory of 2920 4704 fbeaea693a1a5948798b7cac0d3c862c.exe 1204 PID 4704 wrote to memory of 2920 4704 fbeaea693a1a5948798b7cac0d3c862c.exe 1204 PID 2920 wrote to memory of 4940 2920 cmd.exe 1202 PID 2920 wrote to memory of 4940 2920 cmd.exe 1202 PID 2920 wrote to memory of 4940 2920 cmd.exe 1202 PID 4704 wrote to memory of 2180 4704 fbeaea693a1a5948798b7cac0d3c862c.exe 1201 PID 4704 wrote to memory of 2180 4704 fbeaea693a1a5948798b7cac0d3c862c.exe 1201 PID 4704 wrote to memory of 2180 4704 fbeaea693a1a5948798b7cac0d3c862c.exe 1201 PID 4704 wrote to memory of 516 4704 fbeaea693a1a5948798b7cac0d3c862c.exe 1161 PID 4704 wrote to memory of 516 4704 fbeaea693a1a5948798b7cac0d3c862c.exe 1161 PID 4704 wrote to memory of 516 4704 fbeaea693a1a5948798b7cac0d3c862c.exe 1161 PID 4704 wrote to memory of 2272 4704 fbeaea693a1a5948798b7cac0d3c862c.exe 1200 PID 4704 wrote to memory of 2272 4704 fbeaea693a1a5948798b7cac0d3c862c.exe 1200 PID 4704 wrote to memory of 2272 4704 fbeaea693a1a5948798b7cac0d3c862c.exe 1200 PID 4704 wrote to memory of 4672 4704 fbeaea693a1a5948798b7cac0d3c862c.exe 1196 PID 4704 wrote to memory of 4672 4704 fbeaea693a1a5948798b7cac0d3c862c.exe 1196 PID 4704 wrote to memory of 4672 4704 fbeaea693a1a5948798b7cac0d3c862c.exe 1196 PID 4940 wrote to memory of 1600 4940 fbeaea693a1a5948798b7cac0d3c862c.exe 1194 PID 4940 wrote to memory of 1600 4940 fbeaea693a1a5948798b7cac0d3c862c.exe 1194 PID 4940 wrote to memory of 1600 4940 fbeaea693a1a5948798b7cac0d3c862c.exe 1194 PID 1600 wrote to memory of 1892 1600 cmd.exe 1096 PID 1600 wrote to memory of 1892 1600 cmd.exe 1096 PID 1600 wrote to memory of 1892 1600 cmd.exe 1096 PID 4940 wrote to memory of 4016 4940 fbeaea693a1a5948798b7cac0d3c862c.exe 1192 PID 4940 wrote to memory of 4016 4940 fbeaea693a1a5948798b7cac0d3c862c.exe 1192 PID 4940 wrote to memory of 4016 4940 fbeaea693a1a5948798b7cac0d3c862c.exe 1192 PID 4940 wrote to memory of 2152 4940 fbeaea693a1a5948798b7cac0d3c862c.exe 1191 PID 4940 wrote to memory of 2152 4940 fbeaea693a1a5948798b7cac0d3c862c.exe 1191 PID 4940 wrote to memory of 2152 4940 fbeaea693a1a5948798b7cac0d3c862c.exe 1191 PID 4940 wrote to memory of 3004 4940 fbeaea693a1a5948798b7cac0d3c862c.exe 1190 PID 4940 wrote to memory of 3004 4940 fbeaea693a1a5948798b7cac0d3c862c.exe 1190 PID 4940 wrote to memory of 3004 4940 fbeaea693a1a5948798b7cac0d3c862c.exe 1190 PID 4940 wrote to memory of 3408 4940 fbeaea693a1a5948798b7cac0d3c862c.exe 1189 PID 4940 wrote to memory of 3408 4940 fbeaea693a1a5948798b7cac0d3c862c.exe 1189 PID 4940 wrote to memory of 3408 4940 fbeaea693a1a5948798b7cac0d3c862c.exe 1189 PID 4672 wrote to memory of 1256 4672 cmd.exe 99 PID 4672 wrote to memory of 1256 4672 cmd.exe 99 PID 4672 wrote to memory of 1256 4672 cmd.exe 99 PID 1892 wrote to memory of 2724 1892 Conhost.exe 1186 PID 1892 wrote to memory of 2724 1892 Conhost.exe 1186 PID 1892 wrote to memory of 2724 1892 Conhost.exe 1186 PID 3408 wrote to memory of 3332 3408 cmd.exe 1185 -
System policy modification 1 TTPs 30 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System fbeaea693a1a5948798b7cac0d3c862c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fbeaea693a1a5948798b7cac0d3c862c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fbeaea693a1a5948798b7cac0d3c862c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fbeaea693a1a5948798b7cac0d3c862c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System fbeaea693a1a5948798b7cac0d3c862c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System fbeaea693a1a5948798b7cac0d3c862c.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe"C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4428 -
C:\ProgramData\ksEccIwQ\zqYsckAg.exe"C:\ProgramData\ksEccIwQ\zqYsckAg.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:5104
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:316
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
- Modifies visibility of file extensions in Explorer
PID:3100
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ncAYQMIs.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""2⤵
- Checks whether UAC is enabled
- System policy modification
PID:3416
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:3896
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Modifies registry key
PID:5068
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"2⤵
- Suspicious use of WriteProcessMemory
PID:5032
-
-
C:\Users\Admin\yOckgIsU\asogEYIc.exe"C:\Users\Admin\yOckgIsU\asogEYIc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4416
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵PID:516
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
- Modifies visibility of file extensions in Explorer
PID:1172
-
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c1⤵PID:1892
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:1256
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c1⤵PID:1372
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"2⤵PID:5036
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c3⤵PID:4452
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DKcwEwMQ.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""4⤵PID:4880
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f4⤵PID:664
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 24⤵PID:5032
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:1508
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 14⤵PID:4664
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c5⤵PID:1072
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"4⤵PID:3760
-
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c4⤵PID:2788
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:3512
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c2⤵PID:4056
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
- Modifies visibility of file extensions in Explorer
PID:3340
-
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:3964
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c1⤵PID:4704
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c1⤵PID:2376
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"2⤵PID:5028
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4776
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"1⤵PID:1176
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c2⤵PID:2836
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\feMMUkAI.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""3⤵PID:2152
-
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:3512
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:4292
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c1⤵PID:2636
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"2⤵PID:2788
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c3⤵PID:1816
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f4⤵PID:4436
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 24⤵PID:3528
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c5⤵PID:1508
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"6⤵PID:2920
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs6⤵PID:1604
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\biQoAMwc.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""7⤵PID:3424
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
- Suspicious behavior: EnumeratesProcesses
PID:2636 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VukoUwsQ.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""9⤵PID:1088
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f9⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:3844
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 29⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:2704
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 19⤵PID:1772
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV110⤵
- UAC bypass
PID:4300
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f7⤵
- UAC bypass
PID:3624
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 27⤵PID:4056
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YAUUEcQQ.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""8⤵PID:3024
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f8⤵PID:1928
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 28⤵
- UAC bypass
PID:1124
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 18⤵
- Modifies registry key
PID:4388
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"8⤵PID:2728
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 17⤵
- Modifies visibility of file extensions in Explorer
PID:4628
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"7⤵PID:4396
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 14⤵PID:4720
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs4⤵PID:1892
-
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵PID:3808
-
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:2272
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:3920
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c1⤵PID:1800
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"2⤵PID:4516
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c3⤵PID:1244
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"4⤵PID:2112
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KqIckEoM.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""5⤵PID:4008
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs6⤵PID:3376
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"3⤵PID:4584
-
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:1264
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"1⤵PID:2624
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:3652
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fOAokcQw.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""1⤵PID:4484
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs2⤵PID:4692
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:3896
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c1⤵PID:4544
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"2⤵PID:1244
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c3⤵PID:2996
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SuoMMQcs.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""4⤵PID:2460
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
PID:4704 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qeosccMU.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""5⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:1128
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f5⤵
- UAC bypass
- Suspicious behavior: EnumeratesProcesses
PID:396
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 25⤵
- Modifies registry key
PID:940
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 15⤵PID:4564
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"5⤵PID:4108
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\caswIsss.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""5⤵
- Suspicious use of WriteProcessMemory
PID:4672
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f5⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:2272
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 15⤵
- Modifies visibility of file extensions in Explorer
PID:2180
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"5⤵
- Suspicious use of WriteProcessMemory
PID:2920
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 24⤵PID:4724
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 14⤵
- Modifies visibility of file extensions in Explorer
PID:4524
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"4⤵PID:1836
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
- UAC bypass
PID:3488
-
-
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c3⤵PID:2748
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BCwcoUEc.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""4⤵PID:2900
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs5⤵PID:3348
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fyUkYwkE.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""1⤵PID:3468
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs2⤵PID:3804
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c3⤵PID:2188
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"4⤵PID:4040
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vgcsooQk.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""4⤵PID:2152
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs5⤵PID:3980
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f4⤵PID:1128
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs5⤵
- Modifies visibility of file extensions in Explorer
PID:4252
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 24⤵PID:4716
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 14⤵PID:1252
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c1⤵PID:4940
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PaQoQQAk.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""1⤵PID:876
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"1⤵PID:3188
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c2⤵PID:4212
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c3⤵PID:3996
-
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:4860
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c1⤵PID:2032
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OIgYMMQo.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""2⤵PID:3912
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- UAC bypass
- Modifies registry key
PID:2900
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:4916
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies visibility of file extensions in Explorer
PID:2852
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"2⤵PID:1152
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c3⤵PID:2060
-
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:940
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qSEoMcIA.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""1⤵PID:2496
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵PID:1808
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3348
-
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c1⤵PID:3468
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"2⤵PID:1600
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QUYsUYkE.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""2⤵PID:4688
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:1444
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:2260
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
- Modifies visibility of file extensions in Explorer
PID:4612
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:4012
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c3⤵PID:396
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies registry key
PID:1088
-
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c1⤵PID:4116
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:2852
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c1⤵PID:1172
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"2⤵PID:2088
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c3⤵PID:3116
-
-
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c2⤵PID:4896
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"3⤵PID:3416
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zGkEEAMU.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""3⤵PID:1720
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵
- UAC bypass
- Modifies registry key
- Suspicious behavior: EnumeratesProcesses
PID:1800 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GcQIEscM.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""4⤵PID:4812
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f4⤵
- UAC bypass
- Modifies registry key
PID:2556
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 24⤵
- Modifies registry key
PID:1608
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 14⤵
- Modifies registry key
PID:1172
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵PID:2224
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:4924
-
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:3044
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pGgwAAUo.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""1⤵PID:1600
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs2⤵PID:2400
-
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe e81bb5df99824af4df653f5b58f606aa GWEBFuMuekO7LqBgRQNq4g.0.1.0.0.01⤵PID:2496
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs2⤵PID:464
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵PID:4220
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1284
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"1⤵PID:3760
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c2⤵PID:2948
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"3⤵PID:1612
-
-
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c2⤵PID:2260
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:2908
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OoUsIMcY.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""2⤵PID:1928
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:2704
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2908
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
- Modifies visibility of file extensions in Explorer
PID:2856
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵PID:5032
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c3⤵
- UAC bypass
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4704
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"2⤵PID:3224
-
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c1⤵PID:3116
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:2156
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c1⤵PID:2440
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WEokgQUM.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""2⤵PID:1604
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:4060
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:2948 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OuwYYwYw.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""3⤵PID:792
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:2228
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵PID:4928
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 24⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:3720
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 14⤵PID:3408
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs5⤵PID:3332
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"4⤵PID:4056
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵PID:4440
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵PID:3376
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies registry key
PID:1928
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"2⤵PID:3996
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:3044
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c1⤵PID:3488
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:3336
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵PID:4116
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\geYgEUgc.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""2⤵PID:4960
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵PID:1724
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs4⤵PID:3828
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵PID:3348
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:3424
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"3⤵PID:1152
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
- UAC bypass
PID:3920
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- UAC bypass
PID:4968
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:2184
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵PID:1264
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"2⤵PID:4052
-
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c1⤵PID:3320
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:760
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:876
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs2⤵PID:3420
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs2⤵PID:3420
-
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c1⤵PID:4704
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"2⤵PID:1920
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:3656
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c1⤵PID:3692
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs2⤵PID:760
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:2060
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:4672
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c1⤵PID:3652
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"2⤵PID:1244
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wkcAMUIk.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""2⤵PID:1892
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵PID:4388
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- Modifies registry key
PID:1088
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵PID:1600
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c2⤵PID:2152
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAYUkowM.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""3⤵PID:5092
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs4⤵PID:1284
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵PID:3488
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:464
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵PID:1460
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"1⤵PID:4212
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:2728
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c1⤵PID:1616
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OqYEEYwQ.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""2⤵PID:4620
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵PID:4388
-
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:3760
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c1⤵PID:4880
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c2⤵PID:2252
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs2⤵PID:868
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:4252
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c1⤵PID:3476
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c2⤵PID:640
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs2⤵PID:4000
-
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c1⤵PID:3376
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KCocYYEg.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""2⤵PID:464
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:3772
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c1⤵PID:4336
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c2⤵PID:3320
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mmAgAAgk.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""3⤵PID:3476
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:1300
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵PID:4516
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WcsEcEQE.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""4⤵PID:5040
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
PID:4924
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 24⤵PID:4524
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c5⤵PID:2908
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 14⤵PID:1616
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2316
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"3⤵PID:4852
-
-
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c1⤵PID:2628
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"1⤵PID:4584
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c2⤵PID:4436
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"3⤵PID:3900
-
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:1816
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs2⤵PID:4196
-
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c1⤵PID:1824
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\taEcQUgw.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""2⤵PID:2220
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:5036
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵
- Modifies visibility of file extensions in Explorer
PID:4396
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:3144
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies registry key
PID:2000
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"2⤵PID:3476
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:3000
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c1⤵PID:2708
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:5092
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c1⤵PID:2932
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zyMoYscc.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""2⤵PID:4716
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4852
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:3720
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:5108
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies visibility of file extensions in Explorer
PID:3352
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"2⤵PID:2972
-
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c1⤵PID:1088
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VUQQYIgM.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""2⤵PID:1816
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:1600
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:1248
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵PID:3980
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"2⤵PID:1124
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:2748
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c1⤵PID:2628
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"2⤵PID:3804
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:1300
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:1124
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c1⤵PID:4968
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CEwQgUck.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""2⤵PID:2972
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:2252
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nEwUIYkw.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""3⤵PID:1176
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵PID:3000
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵PID:1460
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵PID:4672
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"3⤵PID:1720
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c4⤵PID:1876
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:1600
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵PID:2856
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"2⤵PID:2000
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1552
-
-
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c1⤵PID:3144
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ukYIwMsI.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""2⤵PID:2788
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:1124
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:4388
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵PID:1172
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"2⤵PID:4040
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c3⤵PID:4292
-
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:3828
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c1⤵PID:3364
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NocoMIAk.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""2⤵PID:3236
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c3⤵PID:4960
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:4792
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:2152
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵PID:4960
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵PID:1244
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"2⤵PID:2400
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:4012
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c1⤵PID:3288
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:2184
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c1⤵PID:4704
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\juAgUMwI.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""2⤵PID:4580
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:3336
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:1720
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c3⤵PID:3288
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c4⤵PID:4108
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:4308
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵PID:2948
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"2⤵PID:548
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MWYgYUkc.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""2⤵PID:2220
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:3900
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YiEksQsM.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""3⤵PID:4564
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:3188
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵
- Modifies registry key
PID:3568
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵PID:3100
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"3⤵PID:1772
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
- UAC bypass
PID:2488
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:1888
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies registry key
PID:1684
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:2296
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c1⤵PID:1000
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:1936
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c1⤵PID:4612
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AMgEsMoM.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""2⤵PID:3660
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:2828
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:4500
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵PID:1300
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"2⤵PID:2168
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2604
-
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c1⤵PID:3336
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"2⤵PID:2836
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c3⤵PID:3980
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XEokUEks.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""4⤵PID:1552
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f4⤵PID:1896
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 24⤵PID:372
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 14⤵
- Modifies visibility of file extensions in Explorer
PID:3308
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"4⤵PID:4584
-
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:640
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yucscIEY.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""4⤵PID:2152
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
PID:3116
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 24⤵PID:4880
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 14⤵PID:1896
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"4⤵PID:2880
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Kowckcoo.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""2⤵PID:1800
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:664
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:60
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵PID:4796
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:2856
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:4284
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c1⤵PID:4212
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rCAkowcc.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""2⤵PID:1968
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- UAC bypass
PID:1420
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:2348
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies visibility of file extensions in Explorer
PID:4092
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"2⤵PID:1244
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:4040
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c2⤵PID:1604
-
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c1⤵PID:1172
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:4796
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:1464
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵PID:4396
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:1176
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:1000
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SkcoIQAY.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""2⤵PID:4880
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:5068
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:3376
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵PID:4252
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"2⤵PID:3488
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FqwoMgQs.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""1⤵PID:2000
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵PID:3024
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵PID:2836
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- UAC bypass
- Modifies registry key
PID:4052
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
- UAC bypass
- Modifies registry key
PID:316
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:1152
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"2⤵PID:3320
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵PID:464
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs2⤵PID:1888
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"1⤵PID:5072
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c1⤵PID:1248
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2168
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- UAC bypass
PID:4436 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uyIUUsQo.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""2⤵PID:1608
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- Modifies registry key
PID:372
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:3616
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies registry key
PID:4928
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2032
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vSoIssgE.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""1⤵PID:1508
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dcMQEgwg.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""2⤵PID:876
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:2276
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:3628
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵PID:1616
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵PID:1152
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵PID:2084
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵PID:2628
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"1⤵PID:1896
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:4580
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:4000
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GAcsoYoQ.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""1⤵PID:4488
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵PID:60
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵PID:1816
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵PID:2708
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KMIIEAIs.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""2⤵PID:2000
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:3512
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
- Modifies registry key
PID:2856
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies registry key
PID:2400
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"2⤵PID:3828
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"1⤵PID:4336
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qmUUcMYs.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""2⤵PID:876
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:3488
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UwoggYkY.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""3⤵PID:2228
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵PID:3524
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:4440
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵PID:2556
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵PID:3720
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1372 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JeYEQcEA.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""4⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:1444
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f4⤵
- UAC bypass
PID:792
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 24⤵
- Modifies visibility of file extensions in Explorer
PID:1772
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 14⤵
- Modifies visibility of file extensions in Explorer
PID:4388
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
- Modifies registry key
PID:3320 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tuoYQgcQ.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""3⤵PID:3684
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵PID:3424
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵
- Modifies registry key
PID:4680
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵
- Modifies registry key
PID:4940 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UwsQQkIE.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""4⤵PID:3692
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f4⤵PID:5004
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 24⤵PID:4568
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 14⤵PID:3904
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"4⤵PID:3188
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"3⤵PID:1244
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:5092
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2880
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"2⤵PID:4880
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DwsUMMkE.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""3⤵PID:3420
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵
- Modifies registry key
PID:4484
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵PID:1932
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵
- Modifies registry key
PID:1772 -
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c4⤵PID:2488
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"3⤵PID:3144
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:3116
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZkUQIgss.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""1⤵PID:4500
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵PID:5036
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵PID:1532
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵PID:920
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:3632
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:1172
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
- Modifies visibility of file extensions in Explorer
PID:2352
-
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c1⤵PID:4516
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PCIQskAY.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""1⤵PID:3000
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵
- Modifies registry key
PID:1892
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵PID:4484
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵PID:3144
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"1⤵PID:3528
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:3420
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs2⤵PID:3592
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lsksYUQo.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""1⤵PID:1148
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵
- UAC bypass
PID:3696
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵
- Modifies registry key
PID:1248
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵
- Modifies registry key
PID:3996
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:2352
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oScggwAo.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""1⤵PID:1816
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kAcMMoEE.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""2⤵PID:3884
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"2⤵PID:4132
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3668
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵
- UAC bypass
PID:760
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵PID:3476
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WKwUUocA.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""2⤵PID:1892
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3288
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- Modifies registry key
PID:2948 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VEUUYIAs.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""3⤵PID:3424
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵
- Modifies registry key
PID:3804 -
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c4⤵PID:1724
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XEIkYQAg.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""5⤵PID:4584
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 15⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4336
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"5⤵PID:1720
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵PID:1616
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f4⤵PID:2260
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TqoIggMI.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""5⤵PID:4052
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f5⤵
- Modifies registry key
PID:4680
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 25⤵PID:1876
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NQogkcso.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""6⤵PID:3692
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QykoAIMo.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""7⤵PID:4940
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f7⤵PID:1172
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 27⤵
- Modifies registry key
PID:2972 -
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c8⤵PID:3100
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV19⤵PID:2196
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 17⤵
- UAC bypass
PID:2112 -
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c8⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:3900
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵PID:3760
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"7⤵PID:4524
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f6⤵PID:2900
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵PID:3224
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵PID:2220
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 26⤵PID:3652
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 27⤵
- Modifies visibility of file extensions in Explorer
PID:2000
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 17⤵PID:920
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 16⤵
- Modifies registry key
PID:2152 -
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs7⤵PID:4564
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
- Modifies visibility of file extensions in Explorer
PID:1824
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"6⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:5036 -
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c7⤵
- Suspicious behavior: EnumeratesProcesses
PID:4712
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 15⤵PID:1824
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"5⤵PID:1148
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 24⤵
- Modifies registry key
PID:3652
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 14⤵PID:2352
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"4⤵PID:4080
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵PID:1928
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs4⤵PID:4040
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"3⤵PID:1600
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:3656
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:5068
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3772
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵PID:2704
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"2⤵PID:3920
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵PID:3452
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"1⤵PID:4012
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:2348
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵PID:2824
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵PID:4852
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵PID:2900
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"1⤵PID:3288
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zCIgkIcc.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""1⤵PID:3000
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵
- UAC bypass
PID:3628
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵
- Modifies registry key
PID:3224 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
- UAC bypass
PID:3000
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵PID:3340
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"1⤵PID:2108
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵PID:2112
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:3996
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sYkAIMcw.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""3⤵PID:4968
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
- UAC bypass
PID:876 -
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs5⤵PID:1932
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:2932
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵
- Modifies registry key
PID:3048
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵PID:5072
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HsAssEAE.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""4⤵PID:5036
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f4⤵PID:5068
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 24⤵PID:4716
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 14⤵PID:4292
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"4⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:3804
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵PID:4012
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"3⤵PID:4252
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:912
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:2824
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"2⤵PID:1124
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵PID:1248
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BCYgMEwE.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""2⤵PID:3144
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- Modifies registry key
PID:2460
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:1676
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4916
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"2⤵
- Modifies visibility of file extensions in Explorer
PID:4012
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵PID:3024
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs2⤵PID:3340
-
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c1⤵PID:3524
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"1⤵PID:3844
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c1⤵PID:2948
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c1⤵PID:2112
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:4960
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yCMMIgkQ.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""1⤵PID:3828
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵PID:3224
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵
- Modifies registry key
PID:3660
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:372
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:2748
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:4212
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
- Modifies registry key
PID:2224
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵PID:4388
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"2⤵PID:4452
-
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c1⤵PID:5072
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- UAC bypass
PID:2252
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:3028
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c1⤵PID:1724
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Modifies visibility of file extensions in Explorer
PID:1616
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JyEUcsAY.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""1⤵PID:1148
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵PID:3116
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WsMYIEcc.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""2⤵PID:1452
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- Modifies registry key
PID:876
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
- Modifies registry key
PID:1824
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies visibility of file extensions in Explorer
- Suspicious behavior: EnumeratesProcesses
PID:1244 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OKogYYsI.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""3⤵
- Modifies visibility of file extensions in Explorer
PID:464
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵
- Modifies registry key
PID:4940 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RasIoYgs.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""4⤵
- Suspicious use of WriteProcessMemory
PID:3408
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f4⤵PID:3004
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 24⤵
- Modifies visibility of file extensions in Explorer
PID:2152
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 14⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4016
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"4⤵
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1600
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵PID:2184
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵
- Modifies visibility of file extensions in Explorer
PID:1460
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"2⤵PID:2728
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- Modifies registry key
PID:4212 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZMcMgYYg.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""3⤵PID:3524
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵PID:4544
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵PID:3528
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
- UAC bypass
PID:4544 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oGoEUoMk.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""5⤵PID:912
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f5⤵PID:2400
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:1088
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 25⤵
- Modifies registry key
PID:2624 -
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c6⤵PID:4988
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 15⤵PID:2088
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵
- Modifies visibility of file extensions in Explorer
PID:4708
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"3⤵
- Modifies visibility of file extensions in Explorer
- Checks whether UAC is enabled
- System policy modification
PID:1928
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:3660
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies registry key
PID:3376
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"2⤵PID:4664
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵
- Modifies registry key
PID:1876
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵PID:4672
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2624
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"1⤵PID:1172
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nuwMQowk.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""2⤵PID:2296
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:3920
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:1608
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵PID:2272
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2224
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵PID:3964
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:1676
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:1876
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:4292
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\veUQQQoo.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""1⤵PID:2604
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵PID:3416
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs2⤵PID:3112
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵
- Modifies visibility of file extensions in Explorer
PID:3980
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵
- Modifies registry key
PID:3188 -
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c2⤵PID:5096
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:4680
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:2440
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:4308
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:2108
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:2828
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c1⤵PID:4928
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:1684
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jacckQYM.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""1⤵PID:4872
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵PID:2488
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FGUwQccQ.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""2⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:4212
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- UAC bypass
PID:3028
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:2024
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵PID:2460
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
- UAC bypass
PID:3524
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵
- Modifies registry key
PID:4536
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵
- UAC bypass
PID:372
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:836
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:4680
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- UAC bypass
PID:2276
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ueEwMQYs.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""1⤵PID:4516
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵
- UAC bypass
PID:3528
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵
- Modifies registry key
PID:756
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵
- Modifies registry key
PID:3844
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"1⤵PID:3236
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:3488
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:2156
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:4796
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:4052
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:3996
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Modifies visibility of file extensions in Explorer
PID:4720 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
- UAC bypass
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pUQcAcEY.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""3⤵PID:4808
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵
- Modifies visibility of file extensions in Explorer
PID:1896
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵
- Suspicious behavior: EnumeratesProcesses
PID:1816
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:1808
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"3⤵PID:2724
-
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:3336
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵
- UAC bypass
PID:1176 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4724
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵
- Modifies registry key
PID:1264
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵
- Modifies registry key
PID:4612
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"1⤵PID:212
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:2084
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HiEMEosk.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""1⤵PID:3516
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵
- Modifies registry key
PID:3188 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3516
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵PID:2196
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵
- Modifies visibility of file extensions in Explorer
PID:3872
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"1⤵PID:2972
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Modifies visibility of file extensions in Explorer
PID:2088
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵
- UAC bypass
- Modifies registry key
PID:2996
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵PID:1664
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵PID:2180
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
- Modifies visibility of file extensions in Explorer
PID:3452
-
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c1⤵PID:3452
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"1⤵PID:4712
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:2376
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KiAEoQUE.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""2⤵PID:4424
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- UAC bypass
- Modifies registry key
PID:4412
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:3668
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵PID:1264
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:1876
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:4716
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:4928
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:4040
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Modifies visibility of file extensions in Explorer
PID:4664
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JWIAAUYw.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""1⤵PID:792
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4860
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵PID:4300
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵PID:3672
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵
- Modifies visibility of file extensions in Explorer
PID:1968
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:3024
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Modifies visibility of file extensions in Explorer
PID:920
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:1532
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1248
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:3684
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eEYwkAwk.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""1⤵PID:592
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵PID:2272
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:592
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵
- Modifies registry key
PID:4884
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵PID:4872
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:1064
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:4692
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Modifies visibility of file extensions in Explorer
PID:3376
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DccgAIQg.bat" "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exe""1⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:1724
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵
- UAC bypass
PID:516
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵PID:2788
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:2400
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:3112
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c"1⤵
- Modifies visibility of file extensions in Explorer
PID:2628
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Suspicious behavior: EnumeratesProcesses
PID:2836
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Suspicious behavior: EnumeratesProcesses
PID:2376
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:2060
-
C:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c.exeC:\Users\Admin\AppData\Local\Temp\fbeaea693a1a5948798b7cac0d3c862c1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4940
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:940
-
C:\ProgramData\CoAMMwgg\ZiUgoYQo.exeC:\ProgramData\CoAMMwgg\ZiUgoYQo.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1448
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
- Modifies visibility of file extensions in Explorer
PID:4672
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
431KB
MD5f698fc6810e362ebb41ac4e30dbdb2de
SHA1a9fe5bfbb518463c0e94fbca57d1157ee823a49e
SHA2563a24c7b2c1ca6f53b7d40aa34444bed6bcbd6051c39cacb21ef9906ee16ab97a
SHA5123f54d8e782542188457797c3086745d8226edd745bd22c656f000cac5aa882b5ac238d6729c2f3eb280ac7ca6d6566eb94e02c90ccd7f930f289f217ee63e083
-
Filesize
1.0MB
MD588887d81797b50122405ac94277f8684
SHA1237446a98574d43e0745c8fa0b5728466ed6f77c
SHA2566c1b92df1f21865513ca3b0bab83bafeb9f1ab4486e726c53eb330696b8a3d82
SHA5126f2436d85a84e20ec7a3feac2b0304f46635155bc9ba813dc0a851ce5a21678b0835984971eaa496cb0e634fa1fa975fab34d61e72bc4f1f413c63b0376f9aa2
-
Filesize
432KB
MD564863671f2c5672d0ae5f88c0913b366
SHA10b1601c693cf3fc9941bfad96be71a7a64681144
SHA256efadd37e270c4ce10c90d1764d5eef5e61f4f62072e7b0fc3b4169ba1db434fd
SHA512333f7563c273b265418c94248be8ab6a2325876c4924d080394e173ef3cd4d153afa2c2c7887c3107897a1ec1c3b58970eeea892795aaf81cf95978c4507a9bc
-
Filesize
442KB
MD533dab2e4359d7594541fd81bd35da4c5
SHA1d66dec9dbdb20d00a5874e4498bfe5427ba6be98
SHA2567572c079f2e627ef84a10620344c921944986613a762166997569f67d70a9821
SHA5121739df3b6d6f932559065bc02e6b403f1416e0468e31f91f236d509d13e4fce6a45c2452248d3ecf878468a920e09ce389128a4a2237c303e43647fed055addc
-
Filesize
437KB
MD55f968cffc320b0bc8131fd3c408be0c6
SHA1e324b3cc17765997848031df32b828db1d4daf50
SHA256f188f8bf11802fb8658ac423c937507c54bd0bbac114788df97037042d49df4f
SHA512623cfb83b96b1cec438e90fa564b1b7383d561bf05e82c75e368880d4fbb1333bda8ca3bbb2cc1abcad011f34cb0279ea38cf00bb79348582fdf3ab5eb5cc9fa
-
Filesize
559KB
MD5abe51baa38bef6705cc373ff2e62c0b7
SHA177848ddbd8407b732cb43ba5d01004464a386036
SHA256b7a9c7179a07ab6ddb5c821264f11ec19969ae5354f900be8ecaa98eea593c2f
SHA51271184a8b7c7947ccdcbcda9cba0480a3f30298512cd618c663f64272a394c2bb6815530222030906682a3ec262bfd0383b8d56f9d255adbb767d1a5a3b67b9a3
-
Filesize
821KB
MD55b52031b409bbb849342e79534a70834
SHA1274c359b27c9d3657d7f28de6513dcc5715069f3
SHA2566ba55cabcd6a59aef325f7e69a71e8ea4db2c634de0c9dd7c4e10cfb520a54bd
SHA5120ec27f506693e0c876d1840f468e7bdfdf75a0d642eb537033ebfe5954d2c839dcf8fd3f2b31a9aec22a91e30f829bf358010804fab490809eaf35a57c4f046a
-
Filesize
443KB
MD54788d3eccb715470688a730b1275b7a4
SHA147463731803f075a8d07e328b6f7f751e1ed0476
SHA25666f4e0ad3506bd374a0c2c40b1ec3a582d865dcedf7fe2806e0f17c434d5ce93
SHA512c2bf78726f1f01d2f98842bbed0291a9680097c7d11342b0a92e8db4601a4e6cff6a1398029fa146864c77f23fea4f9a49c232ba141903fd4a61fbb7ea55cdce
-
Filesize
884KB
MD5ad56a2244627fc44fe1ee5493aa73ae1
SHA13abb2a31bcb76c2ebd935bcfa1492a297a4a68ed
SHA25635bbb5594ebcf5985e9403992fd6ea007b8e4f4552fd30e36efa38a872b82cec
SHA5125347fcfe512e0562437c0cfe809325f6a571d88cb3c17107f0d905b3d738132f9afe71a8f821818713a11b649ec4f8dab1e404ed2b323ae31cf8b7289d4999cf
-
Filesize
435KB
MD53dbe93c2fd512f9b186d221fa8e90344
SHA124b1e39d7325b71189d5ea2ae6ba980f76f4ec4e
SHA256dd04d7135966bcd0c1772f8c928181861d0389b3da7b09360553c89da44988a1
SHA5126e5c423eab59e60a1abd35a43ab6b69af12e86c21d86408979ae30e0a0c06ee6afb69e3ab2f6c3915209b4c2168a32697d285a70c07977b78f47db6c2c7eaacd
-
Filesize
442KB
MD514fc624fff57bfb0c90b1bafadce45cd
SHA105f220bf91c706df2b3efe951aaaa65d37d687a1
SHA256bb75f76a78ae67a9e5e221e568770bfe83d37bd183aa961a66b4f28a683ff07e
SHA512b774644487810297efb4001022a13fa3e2e5f060400d2e433fa612b5085c5f5456d5b409ef23cf302c988271b2fe6e29061deabe30268d039245680f32f58078
-
Filesize
442KB
MD52dd236f591dc1de7e7ae68e0435bd60b
SHA16c6f38f264278033ad6a99c5be324a3781e1e953
SHA2568dca9941750dd82f1e99998e033d67825c655bcde91c2695737f4a52c8c8d626
SHA512fc862185086a2dd5d06aa3767bb6687e5f97c349acb7832247e2266c2c5b18adb0ea76b134bd1400dc83080fe6cafa3c4c1f64dc2f1083caf87cf184fe806dc0
-
Filesize
446KB
MD57ab4410977e256ec5a1b60ee44e2c5e0
SHA1839b0f46f392a09fd4a2de0ba202ce0f3d9fe66e
SHA25631919d2868a3d2d3c9a2f248ff2f759f5261247d9c8a9af86ffa20337a6830ce
SHA51254944756021e7561fdb61919017f368e9aa31c75927680b6435f15003ebd6952764ce74cdbdaee2f174996266a9addc148649fb5c2486b97031bae882820893f
-
Filesize
501KB
MD5de7b8c5359bf836b0ec39e2e55bb3c39
SHA130729622e9a5c9dee46449382607a2e2c577f25b
SHA256ed86ceb61ed7652a7d08dd32121bd93b1903d3bbd3554ba07d14f6ae055abd3c
SHA512d1e63aa48574b93c094d51f04b560a0765d9800651ef238184a96693cb5562877811f92a62d589e4c7ec129b904656b46a77c5a5fe1d6038c0adc37319b2e220
-
Filesize
437KB
MD5a55684e206c83449032f07eb92ec90d4
SHA134bee6535bb9079d0a4bfeaf5303beea09e3f3fc
SHA2566376c308fdea0fca7d8a0347776851584ac25b47cd0836ba1f790133b9bab85a
SHA512e70c8c791ca8a18eef6f0c89f9903a8bd383091724ec8f55a369d1f7b38ad4e39391238f0dea5cc89ce9cb22a87173d7e043f000c06e902c24cfb3490a427240
-
Filesize
442KB
MD5352bb4b3c8631d27f157fd510bfbd1cd
SHA120c73d6584429db26a7d57915721e2c57e74d0b7
SHA2567ab51f8d93dc996fd5663d362dc24238415138624a6de5e25505e8223e99edfc
SHA51253cda515ba9ba34b50e11dfd52e829a8dbf5e2f3fe2e97af7a23928c137af3bd5900b39ada07b94defb8ac0e7c42eefeedb7bfe51029833dbbb0d2bea3a4b087
-
Filesize
914KB
MD5c88839adae48aa562849c6c589112826
SHA1ecdc28fec3724ccf2bbf202333de4a84e6923d91
SHA2565d5f57fc676ecaa6a91906d13e515b697eb8fa7c713aa8fbd65e0450784e5c36
SHA5129fc4a49beb374601cb18b9e11a3fe303c961b0e3c8b84889c84d1314b018984a7433845c50743bb327bb073cac6db7a62a18d294d98a0ffcd0e53c9d59b4a9cb
-
Filesize
438KB
MD58d4db2f8ce0ecd2eb08ae2e437ab8da7
SHA13184c8e140351296e02adfad26e7783b845618d5
SHA256d75238c813bd6792cae74dbcb7e9d31d163825804d1683e65e22750bc40e1eb8
SHA51201bcc9797d0e26eecf371915f47c73919a058719defd592eb7f843d8393c3f49263a2cb218dca1bf1f3b97e5ba113ff752c763baa45966b819ea8d0d94f991af
-
Filesize
437KB
MD5b021f235dc372b87c7b8b5f458889aec
SHA1e8f8ce27b01a1704ed22700d484e156f1481154c
SHA2568035873baa1e58abf58b65f09c272f5598e6002d13900285f879991fbfb49e6f
SHA512e809d99dd12e67747fbd7cba76b0bed123569ad35ebb96211a1c55be836f85456890189570dcda81cd607d1a4e5a1865d087664f97636e0cb5b25a602edd1e53
-
Filesize
459KB
MD5c54ea5b86336548896c8001cb90d0b30
SHA1ba13dcf80125b47b7a28a6181aa846a841fbdce2
SHA256567442cac255317a3c1941d5ca8741406ada89f43ef295d5dba397845ec59294
SHA5127a4c2ca24e4e2fe5c103e816c9c27d7ca3f3ad59f77a9dbc218974bb86a82fe087e41b3c07541de1824a14cfaec02b9b494543080ebeeb2da39de614596d06e9
-
Filesize
438KB
MD58e69fd3eda5c68c754b5469b1dd074c4
SHA1e54ff1609a27b0a3d5536ac443f113f6b480571c
SHA256d94be1e37866b05a832361959ce5921677999892bfc5fecc18bcc29a8349c233
SHA512c216de18af298efb2c968dad8c7a2356e4b328131e29ed49bd610631b856c809bbb2e6b6a9df9a2d73cc836c8c43aafaf216f20fe616af579931eef84e9e7c3b
-
Filesize
1.0MB
MD592fcfcf499ef75e472b67dd59fad101d
SHA197f1c221116621df4ff4b86569b73bb9ee13a2fa
SHA256cc3be43f1ba649a62f281c8a5446f8c59507b321c6f707577d00f9ecb36d0bcf
SHA512c6a150bd7342aaff546f450907c9aa76c77a4e8204d5a0f175e842097558d4a381465e934010758283b6890c650d070a47821cc137824961117a8c319ed9ae8b
-
Filesize
858KB
MD5a2d539ccff412ce45d2126a32d58bd44
SHA17ff10f2c662a30f305ee2916a7fc831a31f6f8f3
SHA256b03ba894bbf748be57d16c371de4a8b3f1a9e7036ab9db22c17d3ebf89ce4a1f
SHA5128d5ad72e4c99163956f203d2f2799f95276a7f03396e82cc653f4b3a809167a5b2cd00e9aec1287258f0590ee5374c19b894f96b1fb99c97a3ac92c13a473956
-
Filesize
1019KB
MD5640cd172b95f0871d88c8a82aaf95d97
SHA11ce1f8f220a30c1de9ad8f47c2cbd1ad94ab2fe6
SHA2565e5cc2058626be9c8e2b2d11e4cac88f3b5476cd38c97cce400c2eb65dbfd360
SHA512f6d390fbd40181512512612b5e5b750270cb67237928204b7952fea92899d06ee3495aedbec131cb6fdbd119cef31e46eb43da7f897fb450d5562b8de2fb4da9
-
Filesize
439KB
MD51d2b62a980797375ba650f1e7b862891
SHA1c5c27853729b92f5da415b35d1b86df6012b4772
SHA256ac79c85f24dc41bf48f0a2b82e8fd6b6e332ee5a5648dfffc785ec2ea7ce70b1
SHA51255f131ccc6dcf1cc87ccd3eb3f54e9adc8a3491c308276c64eb5efcda8c75ced46a4debc7e2cbc3b1205ec6146af70ca63c59294eb7bcc214fec81a1b4099871
-
Filesize
810KB
MD5dccb2b293075b50dc659871e64a9120a
SHA16b0231001a050203d87655194f644d7b9ed8a9b6
SHA256560298fc248d48cb5e2edd04fe952bb1b9361b05388aef31c77ba755b8a3a091
SHA5127e7155ba02abee7bd72ec71af7531f4c2acc0305f0444a1a284d9ad5a6c537b986f183cb0612c1a0491b0d92641a7e2e66314b5f60841ae329f5e1e6c94a1406
-
Filesize
439KB
MD5f0b141fe52d7b3514c8b88f448fc9ea7
SHA18ac434d7b473674e8b0ca09deadf3403b71c63d9
SHA2568a2608e167cf1d63ceb6cbab751720358b57e917229929af485324398da7fca4
SHA512294535487fffabc0785465da6ee2391099cc1af46c1d29f5b86035744ce52d338d70b2683ec74037a0a197cd8754a47e19e8a845612db37e85c63a8e1f2a94a4
-
Filesize
887KB
MD532b1759dfac505351addbf01abac8307
SHA154343e02bcaf9d9aa45b8391bdea19e9027da2fa
SHA256ba4743dd0de24271b6b6f8968a9427e3ea959319d9dcdc2f7efcf2ca7ed5576f
SHA512a8287ece161e407d1cfbd199203cd51744c9f199bd2b3792f31537ce2195832378f1b81e2b941e5bda5b8db3460b5644c0a735b68798cfd2edd594f3fde39eef
-
Filesize
48KB
MD5c8d351bf2848d70bacc8c54aebe5ce0a
SHA1f3e4789442f2bf6f76a03d2462bcdc26e9efc78e
SHA256b0c2252a53340d411dab77569089953661edf4bbb0e87c2b4b7ab792adc9818f
SHA51218461905567ed2e40fa29dd7ab1d6a485e0896c8860180286f5524cb4fcc75890b3dcd785163f962b2e3819f9c4bd62d353feb8ba1ba67f73011ec4b42eb2ec5
-
Filesize
19B
MD54afb5c4527091738faf9cd4addf9d34e
SHA1170ba9d866894c1b109b62649b1893eb90350459
SHA25659d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA51216d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5
-
Filesize
876KB
MD54f73ec550355d023ca52944ff76ace6a
SHA19a16e843212c41e66da746bcc72ba8bb78a2a464
SHA256645f525cb430ea42340b89c25d37f192883d04536db730e6c2f5c38f3317e7fc
SHA5120efa470801237153aac205977a94f8cb42d28e547bb107b204befa7283ed058fff60149af354cd641a09b00582a374fb4dc9b2db85b766695bd0f9c60fbd98d9
-
Filesize
439KB
MD59f7f847b81bf61f0436271a85cc965ca
SHA16966d17a1eb658daaa7f77771f57a68520435a78
SHA2564d4745a103ab420f67531fede1e2e55c6fee091f55b0629c01118a73de561c97
SHA51269e248c6c84eb849bc437785023fde90db97b870da6b0461561eedc79d3dd480d6ee1cbe6c47e33e7823b43e4ec5320b47f14330fd64dcf41a836e9c541fdbb3
-
Filesize
435KB
MD557703c76d1f8978159884190051bf657
SHA1248e733784904f0fd906fcf23259b680637803b5
SHA256b766eba65ccef6b5dc5768b4c863c69e86b0b8ae72fbdeb79a8d0668333dcd68
SHA512a9fb5c7e52f34b306e6f732b6795b203916838c5ae832029cb8d60ec90f10a3e06e2ba9a76406e5878bb52bb4b9fe81533f3a91f4594a09908f952e853f196e0
-
Filesize
877KB
MD5cd53afeeb5fd4e38608a861221e51c51
SHA16dff4b85f05bca0c4adcd5090b8ebec2cfc9694c
SHA256416d20a0874d9619cda11a8b003280c3fa5094e7865bc36cad5ff4f5a6f9841b
SHA512f8f82682d25dfbc19e48cc432ce819a3d22591db276787c308fbf14d94d7e4d761fd60389ffadce7589dc7bebb38ace37c2d7cc0922c765d9f98dafb81471392
-
Filesize
437KB
MD59c2bb64ea2bc3cde370c764e9369ee86
SHA1ebd52fa395e15cfcfd735bdf16654981abf6f5c1
SHA2569703568da1d88183bb643670f19b238379f9149cf1ae02494a4f5ba1d02eb46a
SHA51282cc4ade6223838c042b54de6bdb27974b81a806662065421826902b0644af7bc69af6b131ad9a9cbfef0e705b9049b2d0b5a7af7e298d17779df3a1a074b926
-
Filesize
437KB
MD5e9a3f6eada478775601c8e52db014f12
SHA11ce92d2deecda28d923fc335802344f4dea1c668
SHA256009edc299966b58abf45cd13fd626c9b36cbccf3e749375f8d816218bafea6ab
SHA512d7a448d2ba7dde23c11cffb4797c6a1d7819a4a2fe07d2a05b0357ab16b655c1a3f3f9887c594f769a1aeee6e7fcec400910bee05431d2dc1cb95f1855a53239
-
Filesize
4KB
MD5ac4b56cc5c5e71c3bb226181418fd891
SHA1e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998
-
Filesize
112B
MD5bae1095f340720d965898063fede1273
SHA1455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA5124e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024
-
Filesize
439KB
MD50a38e006b7279e9dd0eeb6c060f87fe2
SHA1e04ae7b65bc253744cf6222b63ad59f40bd5061e
SHA2560895f431ad1ec7ed5dc1ff9f8d388a9dd8f6a249324be03c2eb2f59cc63bed01
SHA512191c8233d585f62d6604e7e4c9aab2a5334353ec1aab207caa20697f00663654b0153c660a6db5abddf2b283fee7b36701cc6cab9833853f00803f5e152884ad
-
Filesize
454KB
MD570af972273d8a6a389dfbb1b4c85b976
SHA189723474251f5c1e0d57bf9d7fab7aaea7fe58bd
SHA256e737381aca83bcdfd8cae0ccce4726046b55bbd8993725db100cdaaa157faa51
SHA5129bac10f21220803d2dc77b5922503706b7adb1d19c1c8161691a66f393d453c6bfb5a6de5a45fd6b775f93c9ecd4858d9eef01fcd7c7f3bdc184c771a7b3c308
-
Filesize
431KB
MD5b7783a7316557958b604242dbe9848c2
SHA19844213e39123f84a78fb9ee41928e0ad71d416f
SHA256b8c42c7a5625e6e7c628f5eb6290e64fa7f2013c56b2f1c4d16f42784f529218
SHA51296feb068d44ca25b676a28b80cf8435be49c0bc6dd6a79937eb64915b8afd8bb1ce2aa890df0cf373a34bc22f8ea05a2dfa482a3147a620a00197758aa0dc080
-
Filesize
475KB
MD5606dd3dd02145b32b43cc461d5a405be
SHA1a1ecc330a22d512f39fafccd6c5186573eda8833
SHA256a1fb0e2cb689778625bc87685f3f5e3c46b42025ba266239822ff9d5856604c6
SHA512485a6f86d0b672e5e3bad92719d19101baf1e98e38c7717300995592aa5b051fb31c7c5315b66757c435b4aeef369eef15c9ba77f547cd01116fff5c1ed2708e
-
Filesize
445KB
MD5a5e08aeb5dc19e8690fa3e22ca1aca7a
SHA1eabcb94639d6219bc44bfe0112dcfd970ed01724
SHA2568aeb83c64ba906b174732797b7ea5eca95e264ba8543c236fb8f3099817e0b8e
SHA512f40c62d03ec3888798c840f8824d73c3ce3a857e43e7d134df615dd9e0f79d1e8e0223049aefa0ad332ae91f8100ce6a9366f474bde33c8c926dde93bc7f1010
-
Filesize
440KB
MD5e666eeb8a91424807d300ae705cdcf5d
SHA1c3da6c7357e5a7db2252c610761fff75de96235d
SHA25627fe39213778298918891627982d784aa20ed38ac300dc59f31f4127bb84d0e0
SHA51253f786d02a793a618cc5a9af9818394da3097c575466597d8aaed6acb4a79692ed4901d8f3014b6b66b18a7dd8a6a8c0cdbfb1b3a4a0359c4aef461840e9b35d
-
Filesize
560KB
MD5b991a89822bfd08dfaf4bc432e81ce5b
SHA1128245ce7eeaa59e8d2c306ee7d408f6284775ad
SHA2564dbe44997639e927e255be9dfb692a381fde761827601e1e0ecbfe339222d98f
SHA512cdc68fc33998d822abe74f8695b7b94585fba325ed7c290a843f8c75614dba958ad01eee294e3e4fc4c51ad957127685e89b67d4a404d99bcdd21bd29408d023
-
Filesize
6.1MB
MD5876035d0d473278f3c6a2f9d3c4ea95a
SHA1e481db0c5d813d19e29e6bf2f17e9250022f5742
SHA256656951c9b13ad1490199dd9c454356d2fd2e6508da25722d7ec6437c93bc0b70
SHA5121c5a9d08230d824eb9b5e5a569ed5a577d481b0854823458c722ca003827eda306014d24d3683d72a17527df21136f6ca1f143502788e847ed20877cb95705c3
-
Filesize
457KB
MD52e854a25e69e74ed98f85eb986807ee5
SHA1129c9c2687e2c07cc812858c8c56686a0d31e07d
SHA256f02feedc8b8066409a8988dcb509a09c2e6bb57ce112274a2829b2090a595934
SHA5127536989b6ebf8873fa9f69b89b2213e1843b480397b0f2df6688b3e3ae48714d2d63919cefdedeb69cf7bcac573438985103658fc6e09b4407296c7a837d440e
-
Filesize
432KB
MD5549274b86dc89ba1c4b1fcd5ee391904
SHA10440a6b902fd9a014c29397384f5e56498546f0d
SHA256e53a6bc8faca38b0b960e43f887cdbedcc9f2f20b02d94089a1f7e732f3661e1
SHA5129a7dcfcaa09af4d6d2c047a8bd16ce25ecd065eee178d13937630844ef0d0b069306f7807b4f5c0b1ecf5f90d27f7f647f3751828b540df84cc360b63f30422d