Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2023, 01:57
Static task
static1
Behavioral task
behavioral1
Sample
2395bd0420e2da5a0488879fbe9338b9.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2395bd0420e2da5a0488879fbe9338b9.exe
Resource
win10v2004-20231215-en
General
-
Target
2395bd0420e2da5a0488879fbe9338b9.exe
-
Size
480KB
-
MD5
2395bd0420e2da5a0488879fbe9338b9
-
SHA1
b50e534ab4fd248700998dc3dab030acafb3898f
-
SHA256
7333c1f267ddac67e00348ad7f43da843ae7f3f5ea9ad293b3a3c473b7d1f70e
-
SHA512
20864582ffa13ab17dcada0d306619ebaf03ebe85f7f30b967a9dc84e291bd862a5b1c5998c79a24f6919045c10c63761a75c5a217cc7c7ef1a11c544ec6d56e
-
SSDEEP
12288:NKwB7cXAS2USFm6LkKR0Yqmt1hPUnbGsbpnc7OM5/MS7GGAzkLXk8:NKw7xT/LTRlrhYlnc7OM5/MSKGAYD3
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cscript.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cmd.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 2395bd0420e2da5a0488879fbe9338b9.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cmd.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cscript.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cmd.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 2395bd0420e2da5a0488879fbe9338b9.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cmd.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cscript.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cscript.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cmd.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 2395bd0420e2da5a0488879fbe9338b9.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cmd.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" BackgroundTransferHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2395bd0420e2da5a0488879fbe9338b9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2395bd0420e2da5a0488879fbe9338b9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" BackgroundTransferHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2395bd0420e2da5a0488879fbe9338b9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2395bd0420e2da5a0488879fbe9338b9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe -
Blocklisted process makes network request 5 IoCs
flow pid Process 49 2616 cscript.exe 52 2616 cscript.exe 55 2616 cscript.exe 56 2616 cscript.exe 58 2616 cscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation kyYEowww.exe -
Executes dropped EXE 3 IoCs
pid Process 4372 kyYEowww.exe 4856 UYIQwUYg.exe 3168 DuAUYYQM.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kyYEowww.exe = "C:\\Users\\Admin\\TYokcEQg\\kyYEowww.exe" 2395bd0420e2da5a0488879fbe9338b9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UYIQwUYg.exe = "C:\\ProgramData\\nGsEUkcE\\UYIQwUYg.exe" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kyYEowww.exe = "C:\\Users\\Admin\\TYokcEQg\\kyYEowww.exe" kyYEowww.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UYIQwUYg.exe = "C:\\ProgramData\\nGsEUkcE\\UYIQwUYg.exe" DuAUYYQM.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UYIQwUYg.exe = "C:\\ProgramData\\nGsEUkcE\\UYIQwUYg.exe" UYIQwUYg.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2395bd0420e2da5a0488879fbe9338b9.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2395bd0420e2da5a0488879fbe9338b9.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cscript.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2395bd0420e2da5a0488879fbe9338b9.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2395bd0420e2da5a0488879fbe9338b9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2395bd0420e2da5a0488879fbe9338b9.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2395bd0420e2da5a0488879fbe9338b9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2395bd0420e2da5a0488879fbe9338b9.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2395bd0420e2da5a0488879fbe9338b9.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2395bd0420e2da5a0488879fbe9338b9.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2395bd0420e2da5a0488879fbe9338b9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\TYokcEQg DuAUYYQM.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\TYokcEQg\kyYEowww DuAUYYQM.exe File created C:\Windows\SysWOW64\shell32.dll.exe kyYEowww.exe File opened for modification C:\Windows\SysWOW64\sheConvertExport.mp3 kyYEowww.exe File opened for modification C:\Windows\SysWOW64\sheCopyAdd.mp3 kyYEowww.exe File opened for modification C:\Windows\SysWOW64\sheRemoveSave.docx kyYEowww.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 64 IoCs
pid Process 4340 reg.exe 1412 reg.exe 1552 reg.exe 2144 reg.exe 4988 reg.exe 5000 reg.exe 4208 reg.exe 2304 reg.exe 1152 reg.exe 5000 reg.exe 3008 reg.exe 4840 reg.exe 3860 reg.exe 4648 reg.exe 3656 reg.exe 4604 reg.exe 1136 reg.exe 1596 reg.exe 1620 reg.exe 4212 reg.exe 3868 reg.exe 4828 reg.exe 4592 reg.exe 3868 reg.exe 3372 reg.exe 1228 reg.exe 3748 reg.exe 1604 reg.exe 1120 reg.exe 3464 reg.exe 3664 reg.exe 4920 reg.exe 3892 reg.exe 3868 reg.exe 2884 reg.exe 2880 reg.exe 4476 reg.exe 2876 reg.exe 460 reg.exe 1232 reg.exe 4364 reg.exe 2892 reg.exe 4880 reg.exe 2144 reg.exe 728 reg.exe 3356 reg.exe 4272 reg.exe 2768 reg.exe 3860 reg.exe 2700 reg.exe 2544 reg.exe 1480 reg.exe 996 reg.exe 2620 reg.exe 1228 reg.exe 4828 reg.exe 3664 reg.exe 2880 reg.exe 1308 reg.exe 2348 reg.exe 3596 reg.exe 3664 reg.exe 4460 reg.exe 4548 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2544 2395bd0420e2da5a0488879fbe9338b9.exe 2544 2395bd0420e2da5a0488879fbe9338b9.exe 2544 2395bd0420e2da5a0488879fbe9338b9.exe 2544 2395bd0420e2da5a0488879fbe9338b9.exe 4984 cmd.exe 4984 cmd.exe 4984 cmd.exe 4984 cmd.exe 2668 2395bd0420e2da5a0488879fbe9338b9.exe 2668 2395bd0420e2da5a0488879fbe9338b9.exe 2668 2395bd0420e2da5a0488879fbe9338b9.exe 2668 2395bd0420e2da5a0488879fbe9338b9.exe 3016 2395bd0420e2da5a0488879fbe9338b9.exe 3016 2395bd0420e2da5a0488879fbe9338b9.exe 3016 2395bd0420e2da5a0488879fbe9338b9.exe 3016 2395bd0420e2da5a0488879fbe9338b9.exe 1880 2395bd0420e2da5a0488879fbe9338b9.exe 1880 2395bd0420e2da5a0488879fbe9338b9.exe 1880 2395bd0420e2da5a0488879fbe9338b9.exe 1880 2395bd0420e2da5a0488879fbe9338b9.exe 528 2395bd0420e2da5a0488879fbe9338b9.exe 528 2395bd0420e2da5a0488879fbe9338b9.exe 528 2395bd0420e2da5a0488879fbe9338b9.exe 528 2395bd0420e2da5a0488879fbe9338b9.exe 728 Conhost.exe 728 Conhost.exe 728 Conhost.exe 728 Conhost.exe 636 2395bd0420e2da5a0488879fbe9338b9.exe 636 2395bd0420e2da5a0488879fbe9338b9.exe 636 2395bd0420e2da5a0488879fbe9338b9.exe 636 2395bd0420e2da5a0488879fbe9338b9.exe 3028 cscript.exe 3028 cscript.exe 3028 cscript.exe 3028 cscript.exe 408 cmd.exe 408 cmd.exe 408 cmd.exe 408 cmd.exe 460 reg.exe 460 reg.exe 460 reg.exe 460 reg.exe 2336 reg.exe 2336 reg.exe 2336 reg.exe 2336 reg.exe 3172 2395bd0420e2da5a0488879fbe9338b9.exe 3172 2395bd0420e2da5a0488879fbe9338b9.exe 3172 2395bd0420e2da5a0488879fbe9338b9.exe 3172 2395bd0420e2da5a0488879fbe9338b9.exe 2884 Conhost.exe 2884 Conhost.exe 2884 Conhost.exe 2884 Conhost.exe 996 2395bd0420e2da5a0488879fbe9338b9.exe 996 2395bd0420e2da5a0488879fbe9338b9.exe 996 2395bd0420e2da5a0488879fbe9338b9.exe 996 2395bd0420e2da5a0488879fbe9338b9.exe 2336 reg.exe 2336 reg.exe 2336 reg.exe 2336 reg.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4372 kyYEowww.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4372 kyYEowww.exe 4372 kyYEowww.exe 4372 kyYEowww.exe 4372 kyYEowww.exe 4372 kyYEowww.exe 4372 kyYEowww.exe 4372 kyYEowww.exe 4372 kyYEowww.exe 4372 kyYEowww.exe 4372 kyYEowww.exe 4372 kyYEowww.exe 4372 kyYEowww.exe 4372 kyYEowww.exe 4372 kyYEowww.exe 4372 kyYEowww.exe 4372 kyYEowww.exe 4372 kyYEowww.exe 4372 kyYEowww.exe 4372 kyYEowww.exe 4372 kyYEowww.exe 4372 kyYEowww.exe 4372 kyYEowww.exe 4372 kyYEowww.exe 4372 kyYEowww.exe 4372 kyYEowww.exe 4372 kyYEowww.exe 4372 kyYEowww.exe 4372 kyYEowww.exe 4372 kyYEowww.exe 4372 kyYEowww.exe 4372 kyYEowww.exe 4372 kyYEowww.exe 4372 kyYEowww.exe 4372 kyYEowww.exe 4372 kyYEowww.exe 4372 kyYEowww.exe 4372 kyYEowww.exe 4372 kyYEowww.exe 4372 kyYEowww.exe 4372 kyYEowww.exe 4372 kyYEowww.exe 4372 kyYEowww.exe 4372 kyYEowww.exe 4372 kyYEowww.exe 4372 kyYEowww.exe 4372 kyYEowww.exe 4372 kyYEowww.exe 4372 kyYEowww.exe 4372 kyYEowww.exe 4372 kyYEowww.exe 4372 kyYEowww.exe 4372 kyYEowww.exe 4372 kyYEowww.exe 4372 kyYEowww.exe 4372 kyYEowww.exe 4372 kyYEowww.exe 4372 kyYEowww.exe 4372 kyYEowww.exe 4372 kyYEowww.exe 4372 kyYEowww.exe 4372 kyYEowww.exe 4372 kyYEowww.exe 4372 kyYEowww.exe 4372 kyYEowww.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2544 wrote to memory of 4372 2544 2395bd0420e2da5a0488879fbe9338b9.exe 91 PID 2544 wrote to memory of 4372 2544 2395bd0420e2da5a0488879fbe9338b9.exe 91 PID 2544 wrote to memory of 4372 2544 2395bd0420e2da5a0488879fbe9338b9.exe 91 PID 2544 wrote to memory of 4856 2544 reg.exe 93 PID 2544 wrote to memory of 4856 2544 reg.exe 93 PID 2544 wrote to memory of 4856 2544 reg.exe 93 PID 2544 wrote to memory of 3228 2544 reg.exe 1149 PID 2544 wrote to memory of 3228 2544 reg.exe 1149 PID 2544 wrote to memory of 3228 2544 reg.exe 1149 PID 3228 wrote to memory of 4984 3228 cscript.exe 433 PID 3228 wrote to memory of 4984 3228 cscript.exe 433 PID 3228 wrote to memory of 4984 3228 cscript.exe 433 PID 2544 wrote to memory of 3980 2544 reg.exe 1393 PID 2544 wrote to memory of 3980 2544 reg.exe 1393 PID 2544 wrote to memory of 3980 2544 reg.exe 1393 PID 2544 wrote to memory of 5028 2544 reg.exe 1392 PID 2544 wrote to memory of 5028 2544 reg.exe 1392 PID 2544 wrote to memory of 5028 2544 reg.exe 1392 PID 2544 wrote to memory of 4504 2544 reg.exe 1391 PID 2544 wrote to memory of 4504 2544 reg.exe 1391 PID 2544 wrote to memory of 4504 2544 reg.exe 1391 PID 4984 wrote to memory of 4300 4984 cmd.exe 1390 PID 4984 wrote to memory of 4300 4984 cmd.exe 1390 PID 4984 wrote to memory of 4300 4984 cmd.exe 1390 PID 4300 wrote to memory of 2668 4300 cmd.exe 1389 PID 4300 wrote to memory of 2668 4300 cmd.exe 1389 PID 4300 wrote to memory of 2668 4300 cmd.exe 1389 PID 4984 wrote to memory of 4836 4984 cmd.exe 1388 PID 4984 wrote to memory of 4836 4984 cmd.exe 1388 PID 4984 wrote to memory of 4836 4984 cmd.exe 1388 PID 4984 wrote to memory of 3324 4984 cmd.exe 1387 PID 4984 wrote to memory of 3324 4984 cmd.exe 1387 PID 4984 wrote to memory of 3324 4984 cmd.exe 1387 PID 4984 wrote to memory of 2100 4984 cmd.exe 1326 PID 4984 wrote to memory of 2100 4984 cmd.exe 1326 PID 4984 wrote to memory of 2100 4984 cmd.exe 1326 PID 4984 wrote to memory of 720 4984 cmd.exe 1386 PID 4984 wrote to memory of 720 4984 cmd.exe 1386 PID 4984 wrote to memory of 720 4984 cmd.exe 1386 PID 2668 wrote to memory of 3628 2668 2395bd0420e2da5a0488879fbe9338b9.exe 1164 PID 2668 wrote to memory of 3628 2668 2395bd0420e2da5a0488879fbe9338b9.exe 1164 PID 2668 wrote to memory of 3628 2668 2395bd0420e2da5a0488879fbe9338b9.exe 1164 PID 2668 wrote to memory of 4208 2668 2395bd0420e2da5a0488879fbe9338b9.exe 1382 PID 2668 wrote to memory of 4208 2668 2395bd0420e2da5a0488879fbe9338b9.exe 1382 PID 2668 wrote to memory of 4208 2668 2395bd0420e2da5a0488879fbe9338b9.exe 1382 PID 3628 wrote to memory of 3016 3628 Conhost.exe 1380 PID 3628 wrote to memory of 3016 3628 Conhost.exe 1380 PID 3628 wrote to memory of 3016 3628 Conhost.exe 1380 PID 2668 wrote to memory of 4364 2668 2395bd0420e2da5a0488879fbe9338b9.exe 1381 PID 2668 wrote to memory of 4364 2668 2395bd0420e2da5a0488879fbe9338b9.exe 1381 PID 2668 wrote to memory of 4364 2668 2395bd0420e2da5a0488879fbe9338b9.exe 1381 PID 2668 wrote to memory of 404 2668 2395bd0420e2da5a0488879fbe9338b9.exe 1378 PID 2668 wrote to memory of 404 2668 2395bd0420e2da5a0488879fbe9338b9.exe 1378 PID 2668 wrote to memory of 404 2668 2395bd0420e2da5a0488879fbe9338b9.exe 1378 PID 2668 wrote to memory of 3504 2668 2395bd0420e2da5a0488879fbe9338b9.exe 1377 PID 2668 wrote to memory of 3504 2668 2395bd0420e2da5a0488879fbe9338b9.exe 1377 PID 2668 wrote to memory of 3504 2668 2395bd0420e2da5a0488879fbe9338b9.exe 1377 PID 3016 wrote to memory of 5020 3016 2395bd0420e2da5a0488879fbe9338b9.exe 1374 PID 3016 wrote to memory of 5020 3016 2395bd0420e2da5a0488879fbe9338b9.exe 1374 PID 3016 wrote to memory of 5020 3016 2395bd0420e2da5a0488879fbe9338b9.exe 1374 PID 5020 wrote to memory of 1880 5020 cmd.exe 1372 PID 5020 wrote to memory of 1880 5020 cmd.exe 1372 PID 5020 wrote to memory of 1880 5020 cmd.exe 1372 PID 3504 wrote to memory of 4724 3504 cmd.exe 1053 -
System policy modification 1 TTPs 36 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 2395bd0420e2da5a0488879fbe9338b9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 2395bd0420e2da5a0488879fbe9338b9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 2395bd0420e2da5a0488879fbe9338b9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2395bd0420e2da5a0488879fbe9338b9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2395bd0420e2da5a0488879fbe9338b9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 2395bd0420e2da5a0488879fbe9338b9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2395bd0420e2da5a0488879fbe9338b9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2395bd0420e2da5a0488879fbe9338b9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2395bd0420e2da5a0488879fbe9338b9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 2395bd0420e2da5a0488879fbe9338b9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe"C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Users\Admin\TYokcEQg\kyYEowww.exe"C:\Users\Admin\TYokcEQg\kyYEowww.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:4372
-
-
C:\ProgramData\nGsEUkcE\UYIQwUYg.exe"C:\ProgramData\nGsEUkcE\UYIQwUYg.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4856
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"2⤵PID:3228
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b93⤵PID:4984
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f4⤵PID:2100
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LyQcAEEk.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""2⤵PID:4308
-
-
C:\ProgramData\ocgAMwYo\DuAUYYQM.exeC:\ProgramData\ocgAMwYo\DuAUYYQM.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:3168
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"1⤵PID:3628
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:4724
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"1⤵PID:4296
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b92⤵
- UAC bypass
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:528
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3464
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"1⤵PID:1468
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b92⤵PID:728
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\euwskEwI.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""3⤵PID:1536
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵PID:996
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"2⤵PID:2296
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵PID:996
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CMcAMUsY.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""4⤵PID:4120
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f4⤵PID:4504
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 24⤵PID:4724
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 14⤵
- Modifies visibility of file extensions in Explorer
PID:2860
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵PID:1328
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3676
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iioYcAsY.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""1⤵PID:1836
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵PID:1152
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b91⤵PID:3028
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b91⤵PID:408
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"2⤵PID:2852
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b93⤵PID:460
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵PID:532
-
-
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b92⤵PID:3840
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"3⤵PID:3676
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KwcYUoYM.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""3⤵PID:4116
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵
- Modifies registry key
PID:4548
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵
- Modifies registry key
PID:3008 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:2904
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵
- Modifies registry key
PID:5000 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:1908
-
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:940
-
-
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b91⤵PID:2336
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:3920
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵PID:1232
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:976
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b91⤵PID:2336
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs2⤵PID:4220
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"1⤵PID:1344
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b92⤵PID:5048
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs2⤵PID:2792
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
- UAC bypass
PID:1372
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵PID:2468
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵PID:4692
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs2⤵PID:2616
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵PID:8
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TcIYEcwo.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""1⤵PID:836
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs2⤵
- Modifies visibility of file extensions in Explorer
- Checks whether UAC is enabled
- System policy modification
PID:2144
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3472
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:3696
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IAEMMkQk.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""2⤵PID:536
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵PID:2620
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:3656
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
- Modifies registry key
PID:2700
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:4220
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"2⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:3236
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:3616
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b91⤵PID:916
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wQccMcUM.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""2⤵PID:3608
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:3988
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:5000
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies visibility of file extensions in Explorer
- Adds Run key to start application
- Modifies registry key
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵PID:4504
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵PID:5028
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵
- Modifies visibility of file extensions in Explorer
PID:3980
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"2⤵PID:4840
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4692
-
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:3484
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b91⤵PID:1464
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"2⤵PID:808
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:3464
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b92⤵PID:1316
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"3⤵PID:3160
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b94⤵PID:3100
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"5⤵PID:4260
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b96⤵PID:2628
-
-
-
-
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:2376
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:3472
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:4608
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b92⤵PID:1592
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:2468
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs2⤵PID:4868
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b93⤵PID:4988
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DWUoYIUs.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""4⤵PID:5000
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs5⤵PID:4264
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b91⤵PID:3868
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"1⤵PID:2220
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b92⤵PID:1680
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:1620
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b91⤵PID:4504
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"2⤵PID:1836
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b93⤵PID:636
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"4⤵PID:2296
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SeMkoogg.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""2⤵PID:1680
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵PID:3224
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MyosMIMI.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""3⤵PID:2784
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵PID:3224
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵PID:1516
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
- UAC bypass
PID:1752
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵
- Modifies registry key
PID:2144
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"3⤵PID:2372
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:3628
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
- Modifies registry key
PID:3868
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵PID:4900
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zcMgAkQk.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""2⤵PID:2088
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵PID:2884
-
-
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b92⤵PID:728
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵PID:3372
-
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:2268
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b92⤵PID:996
-
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b91⤵PID:1620
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:3868
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b91⤵PID:3768
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"2⤵PID:664
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b93⤵PID:1648
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"1⤵PID:2904
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:3652
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"1⤵PID:3656
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵PID:3664
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b92⤵PID:3552
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵PID:4988
-
-
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b92⤵PID:4260
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"3⤵PID:4576
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵PID:4648
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:4364
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:4648
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:1620
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:4524
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HOcYwAUA.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""2⤵PID:1448
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:1072
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:4576
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵PID:536
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"2⤵PID:3040
-
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b91⤵PID:3820
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b91⤵PID:5040
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:808
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b91⤵PID:4508
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:808
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b91⤵PID:5048
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies registry key
PID:4648
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"2⤵PID:4528
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"3⤵PID:4640
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b94⤵PID:4576
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs5⤵PID:1516
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs6⤵PID:1228
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵
- Modifies registry key
PID:3656
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵PID:536
-
-
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b91⤵PID:4572
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vSskIkAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""2⤵PID:2220
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵PID:3768
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵PID:3820
-
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:728
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b91⤵PID:3860
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"2⤵PID:5040
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b93⤵PID:3028
-
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:664
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4304
-
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b91⤵PID:3552
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eUAQwcgc.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""2⤵PID:808
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:4572
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b93⤵PID:4608
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs4⤵PID:4988
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs5⤵PID:4308
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs6⤵
- Suspicious behavior: EnumeratesProcesses
PID:3028 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TIkkUooc.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""7⤵PID:3696
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f7⤵
- UAC bypass
PID:2100
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 27⤵PID:3616
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 17⤵
- Modifies visibility of file extensions in Explorer
PID:2832
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"7⤵PID:544
-
-
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:3748
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵PID:1828
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"2⤵PID:4544
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:3820
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"1⤵PID:4868
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b92⤵PID:3980
-
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b92⤵PID:4640
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hYgcUwAg.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""2⤵PID:2296
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b93⤵PID:2584
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵PID:2376
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:3464
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:3008
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵PID:4520
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies registry key
PID:2348
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"2⤵PID:2908
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:3892
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b91⤵PID:5040
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:2152
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b91⤵PID:3852
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:4572
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:4388
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:2768
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uQcwgcUI.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""2⤵PID:2272
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- UAC bypass
- Modifies registry key
PID:4340
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
- Modifies registry key
PID:3464
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies visibility of file extensions in Explorer
PID:4284
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"2⤵PID:1484
-
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b91⤵PID:2288
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:4040
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:5040
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b91⤵PID:4640
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"1⤵PID:920
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b91⤵PID:940
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b91⤵PID:1752
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:2120
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3852
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SoYAggYM.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""3⤵PID:4088
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵
- Modifies registry key
PID:2144
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵PID:3748
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵PID:1908
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"3⤵PID:4608
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b94⤵
- Modifies visibility of file extensions in Explorer
PID:4528
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b91⤵PID:3820
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs2⤵PID:464
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵PID:4340
-
-
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b92⤵PID:4444
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZUooIUgk.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""3⤵PID:4584
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵PID:1372
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵PID:2272
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵PID:4528
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"3⤵PID:3548
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4916
-
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:5064
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b91⤵PID:1144
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:4388
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b91⤵PID:4880
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b91⤵PID:2088
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b91⤵PID:4584
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs2⤵PID:3608
-
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b91⤵PID:2784
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b92⤵PID:3952
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:3656
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b92⤵PID:2528
-
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b91⤵PID:1752
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:1596
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs2⤵PID:536
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:3496
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b91⤵PID:3952
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs2⤵PID:4304
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zqEoEogU.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""2⤵PID:3008
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:3172
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:1008
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵PID:4444
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵PID:4520
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"2⤵PID:3864
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Modifies visibility of file extensions in Explorer
PID:4900 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:4664
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:4088
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b91⤵PID:5000
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b91⤵PID:2908
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b92⤵PID:4520
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"3⤵PID:4212
-
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:4340
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b91⤵PID:5056
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\heQwQoQM.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""2⤵PID:728
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:4988
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:3676
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b93⤵PID:3596
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:3820
-
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1536
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs4⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:1072
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵PID:3820
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"2⤵PID:2892
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
- Modifies visibility of file extensions in Explorer
PID:4584 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jGUsAssM.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""3⤵PID:3356
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵PID:1912
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵PID:4432
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:4880 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YQooQAgY.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""4⤵
- Modifies visibility of file extensions in Explorer
PID:1308
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f4⤵
- UAC bypass
PID:4628
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 24⤵PID:3664
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 14⤵PID:532
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"4⤵PID:448
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"3⤵PID:1604
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs4⤵PID:4132
-
-
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:4600
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b91⤵PID:1908
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b91⤵PID:3500
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs2⤵PID:2908
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:3596
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b91⤵PID:448
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kGIAYoUY.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""2⤵PID:2272
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:4608
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:4040
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵PID:3496
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"2⤵PID:2784
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:4288
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:4988
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b91⤵PID:4432
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:4580
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hcoocMAg.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs2⤵PID:2644
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fqIoQEsk.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""2⤵
- Modifies visibility of file extensions in Explorer
PID:720
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:3324
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵PID:4836
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"2⤵
- Suspicious use of WriteProcessMemory
PID:4300
-
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b91⤵PID:2700
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SmIIIYck.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""2⤵PID:4916
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:4920
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:2144
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies registry key
PID:4208 -
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵
- Suspicious use of WriteProcessMemory
PID:3228
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"2⤵PID:1400
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
- Modifies visibility of file extensions in Explorer
PID:3356
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:3008
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:1064
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b91⤵PID:452
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"2⤵PID:3820
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jqMgowYM.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""2⤵PID:464
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:3008
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
- Modifies registry key
PID:1120
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies registry key
PID:2892
-
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b91⤵PID:460
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dmUcQAsY.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""2⤵PID:3500
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\egcwkwQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""3⤵PID:2292
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵PID:2372
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b94⤵PID:3696
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs5⤵
- Modifies visibility of file extensions in Explorer
- Checks whether UAC is enabled
- System policy modification
PID:1604
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵PID:2936
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵PID:4584
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"3⤵PID:3040
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- UAC bypass
PID:2120
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:3040
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵PID:1908
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mSYMgcYw.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""3⤵PID:3952
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rwwQwAYA.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""4⤵PID:3820
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f4⤵PID:2784
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xikIAQYw.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""5⤵PID:1120
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f5⤵
- UAC bypass
PID:4944
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 25⤵PID:3172
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 15⤵PID:3820
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yOYAUEEI.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""6⤵PID:4580
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f6⤵PID:1020
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 26⤵
- Modifies registry key
PID:2620
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 16⤵
- Modifies visibility of file extensions in Explorer
PID:1804
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"6⤵PID:2908
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AEYkUQYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""6⤵PID:1592
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f6⤵PID:5056
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 26⤵PID:5000
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 16⤵PID:2908
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"6⤵PID:1596
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"5⤵PID:1592
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 24⤵PID:2144
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 14⤵PID:4600
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"4⤵PID:4264
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵PID:1596
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵PID:3652
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵
- Modifies visibility of file extensions in Explorer
PID:1384
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"3⤵PID:4868
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"2⤵PID:4628
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b93⤵PID:4868
-
-
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b91⤵PID:3484
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LKkYwsYU.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""2⤵PID:1596
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:4944
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵PID:408
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵PID:920
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b94⤵PID:4664
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵PID:4664
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"3⤵PID:4628
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:1464
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵PID:2372
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"2⤵PID:4132
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵PID:2092
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵PID:3028
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs2⤵PID:208
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵PID:3624
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b91⤵PID:3528
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b92⤵PID:4944
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:4640
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QMwkoQAI.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""2⤵PID:3664
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:4880
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
- Modifies registry key
PID:4476
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵PID:4508
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3220
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"2⤵PID:4952
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rWAYkMsE.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""2⤵PID:4576
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hwMYQAgM.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""3⤵PID:4544
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b94⤵PID:3952
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵PID:2436
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵PID:4308
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:4512
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"3⤵PID:920
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:2436
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:4088
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵PID:4220
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies registry key
PID:3664 -
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b93⤵PID:3392
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"2⤵PID:1448
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵PID:3656
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b94⤵PID:4524
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uKAgcIEs.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""1⤵PID:2852
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sskYkIAk.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""2⤵PID:4692
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:1448
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:4308
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵PID:3864
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"2⤵PID:4432
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵PID:536
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵
- Modifies registry key
PID:1480
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵PID:2032
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"1⤵PID:920
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uiEQgYAg.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""1⤵PID:4528
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵PID:4512
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵PID:2680
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵
- Modifies registry key
PID:3372
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"1⤵PID:4504
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:4648
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵
- Checks whether UAC is enabled
- System policy modification
PID:2468
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
- Modifies visibility of file extensions in Explorer
PID:464
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:4836
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
- UAC bypass
PID:3020
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵PID:4444
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"2⤵PID:1232
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Suspicious behavior: EnumeratesProcesses
PID:728 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f4⤵
- UAC bypass
PID:4516
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 24⤵PID:3860
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:3544
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 14⤵
- Modifies visibility of file extensions in Explorer
PID:1964
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"4⤵PID:3016
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZCUwYAck.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""5⤵PID:3768
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f5⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Modifies registry key
PID:3860
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 25⤵
- Modifies visibility of file extensions in Explorer
PID:2188
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 15⤵PID:2876
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"5⤵
- Suspicious use of WriteProcessMemory
PID:5020
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b91⤵PID:4924
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:4116
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b92⤵PID:1136
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MEcoMoAU.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""1⤵PID:220
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵PID:808
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs2⤵PID:4304
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵PID:4580
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵
- Modifies registry key
PID:1308 -
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs2⤵PID:5084
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\haYQUcIY.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""1⤵PID:4512
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵PID:1752
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵PID:3608
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵PID:5040
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"1⤵PID:3528
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hSwockcM.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""1⤵PID:5072
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵
- UAC bypass
- Modifies registry key
PID:2304
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵PID:1912
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵
- Modifies registry key
PID:1228
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"1⤵PID:1904
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2272
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DycMUQQI.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""1⤵PID:668
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵PID:220
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵
- Modifies visibility of file extensions in Explorer
PID:3372
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵PID:4664
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iUEUQUMg.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""2⤵PID:1448
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- Modifies registry key
PID:4828
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:3580
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies registry key
PID:1136
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"2⤵PID:4132
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"1⤵PID:208
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b91⤵PID:2768
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cekQEAIM.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""1⤵PID:1516
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵PID:1804
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵
- Modifies registry key
PID:4880 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2680
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵
- Modifies visibility of file extensions in Explorer
PID:2024
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b91⤵PID:2852
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"1⤵PID:624
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:5064
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MiAEgIEE.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""1⤵PID:1604
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵PID:3776
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵PID:4576
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵PID:2032
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"1⤵PID:3656
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:4388
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NYswQocU.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""1⤵PID:4580
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵PID:4748
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵PID:4264
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵PID:5056
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"1⤵PID:2940
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵
- Blocklisted process makes network request
PID:2616
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b91⤵PID:1144
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WcUwQkkw.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""2⤵PID:464
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3160
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- UAC bypass
- Modifies registry key
PID:4604
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
- Modifies visibility of file extensions in Explorer
PID:3496
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies visibility of file extensions in Explorer
PID:5072
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"2⤵PID:536
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:2152
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rUkAcksk.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""1⤵PID:3028
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WiMMYQAg.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""2⤵PID:2220
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵PID:3356
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:4040
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:4116
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies registry key
PID:3664
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"2⤵PID:4572
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵PID:1592
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵PID:2620
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵PID:1620
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"3⤵PID:3664
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵
- UAC bypass
PID:400
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵PID:940
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vQccIooU.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""2⤵PID:3580
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:1904
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:2880
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵PID:4212
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"2⤵PID:1908
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵
- Modifies visibility of file extensions in Explorer
PID:2348
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"1⤵PID:2324
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:2844
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Modifies visibility of file extensions in Explorer
PID:4600
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:1120
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wKIcEgAE.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""1⤵PID:5040
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\roEMQEgI.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""2⤵PID:4404
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- Modifies registry key
PID:2768
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:4508
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gwMkkAYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""3⤵PID:4608
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵PID:4664
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵PID:4716
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵PID:1596
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"3⤵PID:4576
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies registry key
PID:3860 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HaYsYgEY.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""3⤵PID:3576
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵PID:4264
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:3484
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵
- Modifies registry key
PID:4828
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵PID:808
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b94⤵PID:2784
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
- Modifies visibility of file extensions in Explorer
PID:5056
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vgowcMUc.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""4⤵PID:2468
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f4⤵PID:3500
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 24⤵PID:3596
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jGMgAkAc.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""5⤵PID:2188
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f5⤵
- Modifies registry key
PID:996 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sewoogAY.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""6⤵PID:3596
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f6⤵
- UAC bypass
PID:4496
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 26⤵PID:1836
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs7⤵PID:540
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 16⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4840
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"6⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:2372
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 25⤵PID:3716
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 15⤵PID:4120
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"5⤵PID:4996
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 14⤵PID:464
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"2⤵PID:4132
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵PID:3952
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oIAQEMIY.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""2⤵PID:1604
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3392
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:1592
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:2144
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵PID:2628
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4828
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵PID:3040
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵PID:2288
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zOsgoYYk.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""2⤵PID:4444
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:4608
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies visibility of file extensions in Explorer
PID:2092
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"2⤵PID:3664
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"1⤵PID:3608
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- UAC bypass
PID:1912
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FsgEYUsY.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""1⤵PID:4528
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵PID:4212
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
- UAC bypass
PID:4920
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵PID:2880
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵PID:3160
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XysYgYcs.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""1⤵PID:4988
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:3596
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:2908
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵PID:1448
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵PID:1152
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"2⤵PID:4608
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SAQgkIMU.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""3⤵PID:4580
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵PID:1604
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵
- Modifies visibility of file extensions in Explorer
PID:5040 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OGMsYcIg.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""4⤵PID:4088
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f4⤵
- UAC bypass
PID:2436
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 24⤵PID:2628
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hGMgscco.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""5⤵PID:2468
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs6⤵
- Modifies visibility of file extensions in Explorer
PID:8
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f5⤵PID:4576
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 25⤵PID:1828
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 15⤵
- Modifies registry key
PID:1152
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"5⤵PID:3664
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 14⤵PID:4040
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"4⤵
- Modifies visibility of file extensions in Explorer
PID:2032
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵PID:2436
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"3⤵PID:4716
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵
- Modifies registry key
PID:4920
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵PID:2940
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵
- Modifies visibility of file extensions in Explorer
PID:2852 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4520
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"1⤵PID:4116
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ygcYYckA.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""1⤵PID:3220
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- UAC bypass
PID:1020
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵PID:624
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵PID:2784
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵
- Modifies registry key
PID:3596
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"1⤵PID:920
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iKgsosQM.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""1⤵PID:4828
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵
- Modifies registry key
PID:1228
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵PID:1904
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵PID:728
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"1⤵PID:4868
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PYkcUUgE.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""1⤵PID:4088
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵PID:3040
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵
- Modifies registry key
PID:728
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lGUgEokM.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""1⤵PID:3552
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eowUIgQA.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""2⤵PID:4988
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵PID:2300
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:2700
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:4220
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
- UAC bypass
PID:3892
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies registry key
PID:3356 -
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵
- Modifies visibility of file extensions in Explorer
PID:1648 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BIsIsokw.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""4⤵PID:3356
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f4⤵PID:3100
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b95⤵PID:2164
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 24⤵PID:2100
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 14⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4592
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"4⤵PID:3768
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PwcIYUUk.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""5⤵PID:4088
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lQgoUUYU.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""6⤵PID:2296
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f6⤵
- UAC bypass
PID:1316
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 26⤵PID:720
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:4040
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 16⤵
- Modifies visibility of file extensions in Explorer
PID:2708
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f5⤵PID:4716
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 25⤵
- Modifies registry key
PID:2880
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 15⤵
- Modifies registry key
PID:5000 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- UAC bypass
PID:1448
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"2⤵PID:4264
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵PID:4040
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵PID:1516
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵PID:4444
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rSIAcoMM.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""1⤵PID:1596
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵
- Modifies registry key
PID:3892
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵PID:536
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FaQwMUAk.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""1⤵PID:2584
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵
- UAC bypass
PID:3952
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Modifies registry key
PID:1596
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵PID:1648
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zaMsQssQ.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""1⤵PID:2880
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵
- Modifies registry key
PID:3868
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵PID:4040
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵
- Modifies registry key
PID:3664
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yCYcYcUg.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""1⤵PID:2628
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵
- Modifies registry key
PID:2884
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵PID:1484
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵PID:3980
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"1⤵PID:3464
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b91⤵PID:4868
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eMMMwUsA.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""1⤵PID:4544
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵PID:1592
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵PID:3652
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵PID:3868
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IIsQUgIg.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""2⤵PID:2336
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- Modifies registry key
PID:4988
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:4576
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵PID:3624
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"2⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:1552
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2164
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"1⤵PID:4120
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs2⤵PID:2904
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oAYIkQIU.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""1⤵PID:4988
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵PID:3236
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵PID:728
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵
- Modifies registry key
PID:1620
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Modifies visibility of file extensions in Explorer
PID:1620 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BaEYsgwg.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""2⤵PID:2884
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sYYAYEoo.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""3⤵
- Checks whether UAC is enabled
- System policy modification
PID:4648
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵PID:2628
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵PID:1676
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵PID:408
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:4116
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
- Modifies registry key
PID:1412
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵PID:2204
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"2⤵PID:4260
-
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b91⤵PID:1464
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QqgwsAsQ.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""2⤵PID:4460
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:1752
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:636
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"3⤵PID:3528
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵PID:2188
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b93⤵PID:2884
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"2⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:3100
-
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b92⤵PID:1720
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:3920
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b92⤵PID:4088
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Modifies visibility of file extensions in Explorer
PID:4508
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b91⤵PID:3768
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NIUoAoks.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""2⤵PID:3544
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:528
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:1800
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵PID:4548
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"2⤵PID:2268
-
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b91⤵PID:4504
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\imwgIQoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""1⤵PID:2220
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵PID:2528
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b91⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:808
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:3356
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RSwckcgw.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""1⤵PID:2532
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵
- Modifies registry key
PID:1552 -
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b92⤵PID:2884
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵
- Modifies registry key
PID:2880
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵
- UAC bypass
PID:2768
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:3040
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:1484
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JCoMUwkM.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""1⤵
- Modifies visibility of file extensions in Explorer
PID:1828
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵PID:1608
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵
- Modifies registry key
PID:4460 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1676
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵PID:996
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"1⤵PID:4480
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:3548
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PsEwUsEE.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""1⤵PID:3464
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵
- UAC bypass
- Modifies registry key
PID:3748
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵
- UAC bypass
PID:3776
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵PID:720
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b91⤵PID:4364
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"1⤵PID:3152
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DSEUcUcc.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""1⤵PID:4208
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵PID:3020
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵
- Modifies registry key
PID:4272
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵
- Modifies visibility of file extensions in Explorer
PID:2764
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"1⤵PID:3100
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b92⤵PID:3324
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Suspicious use of WriteProcessMemory
PID:3628 -
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b92⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3016
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:4548
-
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b91⤵PID:636
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:4260
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ECYcsIMU.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""1⤵PID:3436
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵
- UAC bypass
- Suspicious behavior: EnumeratesProcesses
PID:2336 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EgQwkAsw.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""2⤵PID:536
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- UAC bypass
PID:4952
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:3840
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies registry key
PID:1604
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"2⤵PID:3920
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lGcsskYk.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""2⤵PID:3528
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- UAC bypass
PID:3040
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵PID:3596
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- UAC bypass
- Modifies registry key
PID:4212
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"2⤵PID:2896
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵
- Modifies registry key
PID:2876
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵PID:4932
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:408 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DYYMQgYs.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""2⤵PID:1344
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- UAC bypass
PID:1608
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1232
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:3988
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:3624
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:2220
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HWEosQYs.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""1⤵PID:2320
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- UAC bypass
PID:4576
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵PID:3868
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
- UAC bypass
PID:4716
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵PID:4660
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
PID:1228
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"1⤵PID:2884
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\swQogAMA.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""2⤵PID:4068
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- UAC bypass
PID:1800
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
- Modifies registry key
- Suspicious behavior: EnumeratesProcesses
PID:460 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RsUAcssc.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""3⤵PID:1464
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵PID:3576
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵PID:856
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵PID:720
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs4⤵PID:4056
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"3⤵PID:3320
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies visibility of file extensions in Explorer
PID:1328 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
- Modifies visibility of file extensions in Explorer
PID:2204
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"2⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:3500
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NSAAQgow.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""1⤵PID:4572
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵PID:728
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵PID:2440
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵PID:1516
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b91⤵PID:1008
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs2⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:2784
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
- Modifies visibility of file extensions in Explorer
PID:4932
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:1412
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"1⤵PID:1380
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\piEIccAU.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""1⤵
- Checks whether UAC is enabled
- System policy modification
PID:3224
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵PID:3596
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs2⤵PID:1032
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵PID:2300
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵
- UAC bypass
PID:3008
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b91⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:4608
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"1⤵PID:940
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"1⤵PID:1464
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs2⤵PID:3324
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
- UAC bypass
PID:2328
-
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:2268
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Modifies visibility of file extensions in Explorer
PID:2628
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:2088
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b91⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:996 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4264
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:4436
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:1400
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aMsUYsMQ.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""1⤵PID:5028
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵PID:2328
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵PID:536
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9"1⤵PID:2188
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b91⤵
- Suspicious behavior: EnumeratesProcesses
PID:3172
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:3664
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- UAC bypass
PID:4116
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- UAC bypass
PID:4988
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- UAC bypass
PID:4572
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- UAC bypass
- Suspicious behavior: EnumeratesProcesses
PID:2884
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- UAC bypass
PID:536
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b91⤵
- Suspicious behavior: EnumeratesProcesses
PID:636
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:4476
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Modifies visibility of file extensions in Explorer
PID:4120
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:4272
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\assQoAok.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""1⤵PID:3552
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵PID:2668
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PGsgcwsk.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""2⤵
- Suspicious use of WriteProcessMemory
PID:3504
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵PID:404
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
- Modifies registry key
PID:4364
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies visibility of file extensions in Explorer
PID:4208
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵PID:4728
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵
- Modifies visibility of file extensions in Explorer
PID:1084
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PCUMMYgE.bat" "C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exe""1⤵PID:1008
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵PID:4748
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3868
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵
- Modifies visibility of file extensions in Explorer
PID:5016
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵PID:2532
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b91⤵
- Suspicious behavior: EnumeratesProcesses
PID:1880
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:856
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Modifies visibility of file extensions in Explorer
PID:2908
-
C:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b9.exeC:\Users\Admin\AppData\Local\Temp\2395bd0420e2da5a0488879fbe9338b91⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2668
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4544
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵PID:4504
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵PID:1516
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵
- UAC bypass
PID:3172
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵
- UAC bypass
PID:1904
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1020KB
MD5afba4922f12866409477f39f927959d2
SHA1fe1b32e9dc52b5a70c4c601955f4778c48f23212
SHA256ae08308c07d22aa959c2acb0a8f605b3506c1c71913e7a25f46e8de933cb6837
SHA512de810959ad7eefe5bf78019e7c0f03ae4864431d6d78188897c42f32cb8f566728ede2a7dd3934bffd12099d77e838cd4cb214846728574a2db8708a64b4a339
-
Filesize
433KB
MD52ef6c25adb4034631e1bb80bed6b9b09
SHA1a828ee8b08df2c0b36790b73a2ef8b62be5262b6
SHA256b3bf4f0256cfa0e9c5a5dc794108267ccbb7b046500461570bfbaf9130f3c63d
SHA512d223485495a88b89b177b0570e77a361f0a8db84f8490716926fd5cd0f64d4d50e2e2f5544aa60c8f44bbfdc2c3f5a03d6e83dc2054a2dde43ccc32892c86fda
-
Filesize
98KB
MD5a33eb62fc4ed553881c16fbf2c3aab17
SHA17d53000e63431bdc3d4812b362b07177c3da7cfc
SHA256e122876722e7ea64fbcd086316231a3e77bb649ff6facd7950326e5787f59960
SHA512b4311d1a43718204181e0379f27e8d54eae2e839f33fcf17562c1a375408abd95c7f2884af2b26cbe9de96b196f85e70f1cb3ab6047c668a4a0ffd5b50c88edd
-
Filesize
65KB
MD51a6143fdafd09a88a62e81718f405132
SHA1bd829220ed1d9ad6a31f3b9ed32b75bee994294f
SHA2560d09522ed1a311df90ae76a8eb5d28c2a642241ce4491738e4ed5a71f2cf96ff
SHA51214b82fa1da687ec8ffb41b363d9e5f1aad944977bcfe5e1e47ad889c488d8128a12c3a85b8268eabc4a91a89941bb910c0de332dfafeb5c0d4e72c964f5ab35d
-
Filesize
92KB
MD50a2c7425ec521462a620f3bf7a79fd31
SHA13bf6dcab315ca2014c6e9eb85f93e140df7f71b6
SHA2566741ac7ed5df7423a7a19314cf28ffb64c181c2066954f2a7bd7b031ef4a2286
SHA512e8c8cdf08d10dd60b23c87e01e79a57e8133417be8c9bb88e5c7875ffc5ee118f93d77840a177b5d04eeecdeb4e5141fd4cfdef34e18b11d35644086cc811ca7
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\128.png.exe
Filesize440KB
MD5a2b9d78ee237462eed4d8c335ca5429a
SHA16f9c932dc27ffcf77dd4903cd7ef2fcce65dc1f3
SHA2565e3bd8eed8141f21b4211a58da4877e44eba3bc933db195cc429fc869c10e717
SHA5128833cab90baf9c484755bafdab87734f4fbb74670876127f404248ecc2900bc4f91a5643534832521c87933f7495d41335890f636045c0256ea0287d2957bf3a
-
Filesize
438KB
MD5906fe1e1dc0073775d254ba7a46fe55b
SHA1f8f1dc5702564818510a5cbbb20bf25839b5529f
SHA25669d77b1d28f43337f32d2d7f9bca5ac6261ae983aea034f71cbe026999984c38
SHA512a3005a2d7cdea8f29a6cfa9c0f46c1abc5aeef427674edfb41b8d5732fc3767658274bae1f644b027fb3abb3387301d01fd44dbe74844762cc9ae0d9b6d7dcf1
-
Filesize
435KB
MD50d89230264d89d78d4cea806cde2885b
SHA1f2377ac6b7781b13253888ae730a81f28dceb37c
SHA2567ca747dae3a821405f1e9e98265a95221c3aa3eb0c026f08b75195b206137cbb
SHA512938f5cfba6b06caa796681777284f33c249b32d5553dddb8321da46ccd5d04ff9c8d727de7cb20c27ba2618b11202fa93f4c934df4645efd71e112596242c511
-
Filesize
48KB
MD55bbeef2274e18d8837659aff869d8f05
SHA1203f71f7353bca2b6f6802acfe7c7f39c1be4a48
SHA256f120cb4f7f7539412edf4e4c4fca3b5666e2dfb3196e8460584fd6c9a073265b
SHA51272212cfdfd61b802f3dc0854223d975260392dd4e78b8bbe0ca8783ee6bc8c71bf35e45e971443cb86f7a361c485bcdc8c464c83d64e31253b1c56d34ccfab9e
-
Filesize
433KB
MD5ca78a46840a5808bfed264af1f2514c0
SHA18529672b100af6afe8202a93c7a60ce68d77f4a0
SHA256f1c794cb012e1d54e45ad1624bf5378bb2fc08da3d50ff2b2b21a72f62f1dd0b
SHA51283ef292e52469d94bc309f7843bc17106e257b8bc7c77bfb3c54d0a0d8e6af8d870977fbc86577e452a4612f736348819ea26b9fb0db0007d900a164f4b6b731
-
Filesize
4KB
MD5ac4b56cc5c5e71c3bb226181418fd891
SHA1e62149df7a7d31a7777cae68822e4d0eaba2199d
SHA256701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3
SHA512a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998
-
Filesize
886KB
MD5043d3b765f25e2b112f12af225e17692
SHA17416f3a3c5fe220b3011b113ddfd7e0cfdae9fde
SHA2568855e900343a584bbff6433e861480aea37119f15ecfce104037e31cea6bb3fa
SHA512247c89cdc0c9527068d6e8e77fb81d3c9c54a04d9c6b9c71f6978225d54d58fb3627fc45161a72c7e9518b5b70b81f18b261b6e9ae91eb0638e17ace962ef416
-
Filesize
5.5MB
MD5d8ba4b614a234279461515ea76df265c
SHA1cdae0e6431bacdbc6215cf7e5c6ce0f7ee93091d
SHA256ebe5473b53c1ad145c2e18dab5757185c8f1cdcd7599b27d3133929f96be8f45
SHA512b88a4089912ba9193d99bed3d973b0a3827c074cea3b622ccf06658d6e6626e7643c146c28d7bb9236260e0e5ea16f83ae6c9c2ae5a16fe8d1101552faf74d38
-
Filesize
1.0MB
MD5e3a96da978fa60138d87c15d62470bfe
SHA12d606edd98254e75a0a8fd7a0dd65376fe7393ed
SHA256fa6e6f801f59dbfc26522353bde6acd6de90932d9780ad72bbb8fe267166b249
SHA51235168803b55cc4255ed117e7658a9fb0a1e505fbb2c5b6146c8aa7335c715fd83524826f28f00378273186fba1004ec292c8f5cffff9dc5de76639d93b839e56
-
Filesize
445KB
MD53b4e17e28571a2c91adf56e2ba78e276
SHA18fa1540544d91b9a6fa3603f441bce4adbb1e0d8
SHA256292641afac54c21abdf148e23dc86fa2c7ac9e1831ef53711243cfd7d08fffa5
SHA5123a60c8cec3faacca6a576d8704409f94ce26eaafddd676c9b3ca85960317901ebee7bfcc18b2f2bd05ad9d2113c17ec4d9b103b325c5b576ea20e6c90c6fab43
-
Filesize
436KB
MD55890607d2f7ca66201affd0cd8086613
SHA1feb562198ae0c25272ce2fb1a4f873cbe14de5ed
SHA2560a1d2ec9415ec16de7cfefb07d460a426dea5bf7339d8058e9eca875619ca8a8
SHA512d1d19d25c28d28a2caedf19ef9dff036096555631a409e40e1470913b31533cac5015178406fe26906b5f38cc468a49903829d3de91f7ab37788ebfb837aac4a
-
Filesize
474KB
MD59c9be72612395bbffe41ad9f3d88d73c
SHA1ff5119b9254dc706d4bb96ca81feaee4c5dc0bfc
SHA2568d1631275dec6b5bb65a588c3b64d09d0da5dc266e962afce316fd684652c495
SHA51245d417d0a9b30fc8492aa65fb8019d71f38dcc7e4b4bec432b9b3a86ee92ddcec8d78a5675945e7c4df7c80390aa726bd3c349a00684494766dc5541c687daba
-
Filesize
442KB
MD59a581aada835731bf9b3676b4cd3480d
SHA1f8ba802c654213ff7e7b3ccd01ce2431d1ac06b4
SHA2566b7c28ac058e1c2aa6dfa26483b566cd494343edef0fa40110ad5cb2153cf815
SHA512e457b93f91d0fd967c148c7cc769eb3ac9ec9fd97699fda72ebc6f7601c34e45abb330304dd76a72e9e82e8c2dc1c5feac908eafcdd7e260fbe973083f010c1a
-
Filesize
435KB
MD5b97dfc3e1339aa54baeeb30a1cc3db90
SHA1d28bba8642cb3319b5a960873b12d60f998118d7
SHA2566867d066f0b995266d1e5f93b23fe0f781501a9e24090711f38beb1993571439
SHA512549b1c7c21a0196f48c37a19671c32d4004adcfb5377b7a72084e444b7a46aca4a6d9bc1a0eb35d8c62b3d18e0a6fd3d22a4d5b95a2cd541d3c3587cbc2f66a5
-
Filesize
438KB
MD5be2dd275b871824b81b945d24876e17c
SHA1a10c3c4001a7de647b8727304016069a5ff8623e
SHA2566bd56d3a91941eac6b6cf42af4e978c8d5bfc0a1cabb45eb6e4184b17c2e2185
SHA5127305b95a0870f96d39d0b7159a6fa16c18a308109133dd27ea1eb2411b719929f2597c219922edd7b0d85d5a0d04e2708ecd6eee369c889997dabcfda835539c
-
Filesize
499KB
MD5196b7ff22bc08ae47856ff3c18d6e7ab
SHA1b94fbf7cf47156c1075f2cde8667bb5adbdb3d10
SHA25683d54c041bf98b78f0d119e305e700728eb1c076dc9b49dd402f68f41b65e4e8
SHA5126c21f06a1013ea26b6327b62487117b5b282ade55f4302c05c58a0fcd76f18b259c6e611bef490b9135fa0de9e26ba332c3a9b0b6f5ecd78a36c0627f74cea58
-
Filesize
443KB
MD5f3deedfe54ac9c6fa2ee6b0e7b4bd790
SHA1420264c8e9730000d2cf9b95e7247de7f193fd00
SHA2560d0b20adce5e19f245f553ea6996ef9d3aad17cbbf12ed474dfcefcc659a8bf6
SHA512b26626061a409b365459b0dc85bf658797cfdda88129d3ad0aae9cf509b9529172f78befcaa4877e7e942152720bf998b3cd343130825d38b2e34008ee0ddd67
-
Filesize
886KB
MD5611bd9035422adccf681beff15f6e098
SHA181952571e32a62a51004fbf78bedbd2f13ed670c
SHA256372159c1975d3b27ab374225ed1fa0b9eddff08a9c7c160afc00e23f3d446e7e
SHA512accfc2cdae666a60eea18785b01a60881a61b6e85caf403dd1993732e0385a57f37cac2a048c8b9bc76b446491c111ff3ecef1ae80a69516a31d4b3f85c2f89a
-
Filesize
441KB
MD526b24f261db6325c67543f1481e6c0db
SHA16c64f5f7b1563c6954b467311ac98df7df361723
SHA256b9ebc128aa225f2863d2105e23e81abb3f2b02d6f7d52f1a910cdbfcf18f4a56
SHA5120ea9f146ddd2ef1b94426ba88a70d63b88d4ff1834be1e930d23c94963b8c500a8f8b9b75a2fd27839b23f6da3e22718c3f58af8601aa47b53ee02380b685e76
-
Filesize
445KB
MD5eeaccfa1193eb82480e23c056115862d
SHA10e28b1dfe639a7fcefda1e151dbfed602f08d725
SHA25618c14300e1a59f5ad78dc8dc93f726991ad1f81f54c6a48a529d043a682424da
SHA512027e016640e15682f6eae99b50645967d033af4fcbcf5ca1859815917d882ad840841d651d149b3721327636c42f49e138431edd68c8adadbb2ec44090fda121
-
Filesize
441KB
MD5bdd637d264c521bbd59c89e5d1a00006
SHA1d4e5be2e51c0ab7fc2e597b6aac584c63f5bef98
SHA25688c2a8d11b55e268e9487b262c062d1aa450cecb947117549bcedcd4e4175b68
SHA512a349f539c8c354c824ecb3a36bdb6fee7ef761ed5d9c3546029be94fbbe2abdc5d882812bb5de34656475b8353ae5d07a3f32ef1537ddd58b445706c212be73f
-
Filesize
435KB
MD55df81072709685c3be408ba249683479
SHA16d51dfea01002f66f7b5909b018c0a3fe3178027
SHA2560e80898a35407adb1ddce95496b421ad00975971b3916e8a56471cbe103b294e
SHA5121df8c7d0092ce80a5b537c9f73821fd80e9e9c45568b0b7d902ed3bf5e2f2e9bfec77e49edc15bfbef5749e615d6f6d2158bd00322d8780afba397504cd0803d
-
Filesize
450KB
MD516ce72bf4821645fcd6a9b80ce48e676
SHA132c9a2acf791b6ffe4b5b7263144c448d94af426
SHA256386afadef0b9c55e6d393bfd57a5f40a383cfaf556a9a2fe58c7e037cdd2dce9
SHA512cecfbea05b7ab81dcfe524a5b2cfc4ef5cbcf1a2853e96408adcc9d4c42a5a83b90e8f1c5d415f9bc63fe7c6e0171750f802e67591206633fb7e53190a1581b1
-
Filesize
434KB
MD5f56f38d2fbcb6970326d8990dc1bbedb
SHA190baf48c05dee0dd37037f4a30d447aba9d29d7c
SHA25623c564ecf268c5b73b920ce3a4df25bdb687f420c26743875a2c790a46d23e99
SHA5125bcad82338d02d5050e9df884e8c99316bf01cb2565f4379e26ad5811bcca17a5f13fb56910298cab0df19008d6ff7af55523bb775611f1f590cd3f29517a326
-
Filesize
461KB
MD50c59c69afaa2b3bcc350425a4008ed46
SHA1387e69019885872ce3c475efeebf35c42216f4d2
SHA256e733a264b59f347946ab6dda0d41b7196fd206a1314357dda7911fa9278b400f
SHA5128094c14632f14caab932f97719292938ced849c6da58f56b2c4c386eaa392a65ceba9e9c03b45ba0e4d9986477640dc3284a06de815f3c0702e32a8ee9615f53
-
Filesize
889KB
MD5d67a66c3ca863715eae647d46434e5dd
SHA167731a4ac2af8214a9568287cb0f95e77ddebc13
SHA2561f68c48b73afc5c16c307d504c7f14112113ca31554023271c0bd9bbe0728f3e
SHA512b5e2b92cefc6481d924e606be94c34a50fa31dfc1fdc708a5eaa9836932c97640e4791c462dddf66217dc476f9168a6825412645e5afb68b7fc2eb44945a973b
-
Filesize
19B
MD54afb5c4527091738faf9cd4addf9d34e
SHA1170ba9d866894c1b109b62649b1893eb90350459
SHA25659d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA51216d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5
-
Filesize
112B
MD5bae1095f340720d965898063fede1273
SHA1455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA5124e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024
-
Filesize
809KB
MD5dd149bb89c85eb63f46b83b8c0f9506b
SHA1e955f5b803e7a0952db4bcba6f5b7908f5f39f70
SHA256d623a7df3f445107722231c54f6be73daab4bdb36da7b3185c63d86e035e333a
SHA5122c555762dc90fb0c22a3b65ecfc6f4fd2d29aad8e40944803b3063083e184d792c2960a9542a025ce776a02fcb25824e3e0e47d196943a40a16595c4fef5288c
-
Filesize
440KB
MD5c5163fe9584d6dca6162e6e3f6254e51
SHA1b5edf1226630fc256aa52e21b77b8cb2bdcc4d7c
SHA256689532af087f4b203e7cd585a7ed28b6a2f4eee2b4c7e55d7d55be7ead4a2f1a
SHA5124522bebf65eaffde0a1ec7dd1f3441b358319c6687ba6d72a8539ae23287a03ae6c6d2526278e70fb9123b860bee236c27df057c337ef885e829b80de9fd9883
-
Filesize
1.0MB
MD53a5d0d3167e52152dd62cda15d0bb553
SHA159500b455aad3bbeb5e4c19757df910c869db7da
SHA2563e488e72dbc17fbc9300d24e4c83370349007a4fd733be439aad772edffcdde4
SHA5123864b76f4fd4196c0307cdbb4b17c882b35b5d1bacf0f72efbed70cbdd6f8993d890d4c8b03c7716ab953bfba764d8991e1892083d16a7b483d732827f4d73a3
-
Filesize
1018KB
MD57d1811e2e97b76e3b9ff56a9437b96e5
SHA1a035a2a45a9b10a24039c1461cc9d9afe958c48f
SHA2562c18a403c26b08f86bcbebdeff5ac0225a30d793cad5474f35a98dc046f8ed17
SHA51272b739731b0a05c56017fcd7f1675c4049be10198da922c7187077c9ad6e5b92713b28f9ed3e47c15e85e06470141f67f1b97af9b69dfa9a9e97402fe27f9d70
-
Filesize
436KB
MD5e7579fe640ba97a260b3736a39c9a678
SHA1a13cbf71d09718f1e29eebe4346f48440030bc5d
SHA256a906038952b8034fc097db7cce963218668676af5890eb0ae71a36f7c8e58ec9
SHA5129944fdb8b6e6149971a891a1bcb8313fe703f5ef305f8de4b4c59f55e35654c9710f11ffce03d1f366118c8b9b5ab6751f7cfa5cffa21a0878e64b5b6057db9f
-
Filesize
565KB
MD546d60f0b255cb6270dda9f823fba5647
SHA11230337cc7d052ccbe56d1de9c45ebfc5c31556b
SHA25666ec7c61de4f6d62f096b5655934d61205a2cda74fe523cfb4c3298db5190806
SHA5120b18534de8fdcc42583ba3517d9e4b3a49207306e059a8b8ecc119c0816ce9044f2cc73817e9c92564e5fa910ba63cc022f534d09eca67071bb8ee497d704a1c
-
Filesize
874KB
MD5ffa6ff4d010d10f478cc8ea248d7be97
SHA13fa04ec7e4b1544f7060957d9a9fb43ad54a0a6c
SHA256ad7fa4feb797dbdcd1cdc25b9b19ce5c72d2c7b43e1a03197e31070f4122dcc3
SHA512285a5409daf5722f49c744954ab10ebaaa0ab15e51be227c212470f551b4c42175263b4fad42e7d9c72b0f0860630e66246ce48dcf2225bfa07a79a4a56b44b6
-
Filesize
432KB
MD51e864b04eec2bfd8d1c2e766e2ad0417
SHA1a7bf1a09b513cfcb2ff7faa7aeaf981db55b187c
SHA256e1a70e77539c27fbf2253e20cd0d7336157c1e5fa21201eefd6c3704bd4606b0
SHA5125a08ea477850d30ac397263bf8d32a6d6aebc8adf0ff51b8236f741e4e653555f1cdc35b6d93c741ee924757ff300a01fbbe618cdd5b7d2de67843a51cba9a29
-
Filesize
6.1MB
MD502675480c13b31d24c8ccd7aa3ba7df9
SHA10d1639f9327526807c2ad2a9f79dea77f998ad26
SHA2560afbd34590498ebdc6723a88efbf376555e22e086ea2ee13544ea9404c50e175
SHA5121bfc4031a13e4d099c8563ef3ebcbac896e5f7938a45e1479f58f0af115956a10c6b49bc76b1c8fc5c453ca13ddb2f064a21966b896c344b6d6e6852a8b0f255