Analysis
-
max time kernel
186s -
max time network
193s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
01-01-2024 15:10
General
-
Target
3d2d0173e3f43615c98ad7c8d05e46d6.exe
-
Size
436KB
-
MD5
3d2d0173e3f43615c98ad7c8d05e46d6
-
SHA1
5a29ff905d152e1953d1e4afb28759282ad497bf
-
SHA256
51af7aced48148cdd79900d18f84b76ed4794fd43d6943570eaba08f74591750
-
SHA512
7a335f43863fb77fab875321113a7966be873d93f6baa508ddb2a6d84b7e7c1b2210b37ed23f71d74207b45ca3e44a69646bb3963ad5fceb75f9104e864ebafb
-
SSDEEP
12288:k+wDF4Ko1Vs375Df8TRHpFodb1RHrQ+Rb7/a7Na1V54kl:g4Koo37wRH4BnDy7yykl
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
-
UAC bypass 3 TTPs 64 IoCs
-
Renames multiple (55) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Blocklisted process makes network request 3 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Checks whether UAC is enabled 1 TTPs 38 IoCs
-
Drops file in System32 directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 38 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe"C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\yYUQwYwg\ousgIEok.exe"C:\Users\Admin\yYUQwYwg\ousgIEok.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
-
-
C:\ProgramData\TeUoAIII\iqUssIYI.exe"C:\ProgramData\TeUoAIII\iqUssIYI.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"2⤵
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d63⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"4⤵
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d65⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 14⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f4⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 24⤵
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d65⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EQQcUIsY.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""6⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs7⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f6⤵
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d67⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"8⤵
- Checks whether UAC is enabled
- System policy modification
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV19⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 28⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 18⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs9⤵
-
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs8⤵
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 26⤵
- Modifies registry key
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 16⤵
- Modifies registry key
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"6⤵
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d67⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BcUQMoMg.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""4⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs5⤵
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies visibility of file extensions in Explorer
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- Modifies registry key
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
- Modifies registry key
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GyEsMcUM.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""2⤵
-
-
C:\ProgramData\QEEwcQko\kisIcQkE.exeC:\ProgramData\QEEwcQko\kisIcQkE.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EWIosEkc.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""1⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs2⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
- UAC bypass
-
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d61⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAAsQsEI.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""2⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
- Modifies registry key
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"2⤵
- Modifies visibility of file extensions in Explorer
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"1⤵
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d61⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"1⤵
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d62⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SGEsooEE.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵
- UAC bypass
- Modifies registry key
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"3⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
-
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"1⤵
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d62⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d61⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"2⤵
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d63⤵
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵
-
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d62⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xkckEYcg.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""3⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"5⤵
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d66⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmgAgQsU.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""5⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoEUoMgY.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""7⤵
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d68⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f7⤵
- UAC bypass
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
- UAC bypass
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs9⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV110⤵
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f8⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV19⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 28⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 27⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 17⤵
- Modifies registry key
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"7⤵
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f5⤵
- UAC bypass
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 25⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 15⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
-
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs4⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d61⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OqcQogYU.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""2⤵
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eSwgwwUQ.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""1⤵
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d61⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d61⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"2⤵
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d63⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 14⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"4⤵
-
-
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d61⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FMsowwEA.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""2⤵
- Modifies visibility of file extensions in Explorer
- Checks whether UAC is enabled
- System policy modification
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- UAC bypass
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
- UAC bypass
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
- UAC bypass
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Modifies registry key
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d61⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"2⤵
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d63⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"4⤵
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d65⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 16⤵
- Modifies registry key
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RoQYMIgg.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""6⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f6⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 26⤵
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"5⤵
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d66⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
-
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs5⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 14⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HooYEsgg.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""4⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs5⤵
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵
-
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"1⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d62⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aoQcQQQk.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""1⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs2⤵
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d61⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"2⤵
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d63⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 14⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NuMkkMYQ.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""4⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f4⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs5⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs6⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs7⤵
- Modifies visibility of file extensions in Explorer
-
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 24⤵
-
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rgsUgwMM.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""2⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- Modifies registry key
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d63⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NQccoMsI.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""4⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yYssAwkE.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""6⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f6⤵
- Modifies registry key
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 26⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 16⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"6⤵
-
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f6⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 26⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 16⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵
- Modifies visibility of file extensions in Explorer
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"6⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d65⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Modifies visibility of file extensions in Explorer
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 24⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 14⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nuwUcoAM.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""5⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f5⤵
- Modifies registry key
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 25⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 15⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"4⤵
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies visibility of file extensions in Explorer
-
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d61⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rUwsIcQM.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""2⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"4⤵
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d63⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"4⤵
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"2⤵
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"2⤵
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d63⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d63⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wgUsYUUA.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""2⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"1⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d61⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"2⤵
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d63⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 24⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 14⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\POEYYEog.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d63⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KyYIsUwM.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""2⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d64⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NkQMIcYk.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""5⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f5⤵
- UAC bypass
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 25⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DmcoQEgs.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""6⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f6⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 26⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 16⤵
- Modifies visibility of file extensions in Explorer
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"6⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 15⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HmQkQUAE.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""5⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f5⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 25⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 15⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"5⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
- Modifies registry key
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"1⤵
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d61⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"2⤵
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d63⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wSAsEMsE.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""5⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f5⤵
- Modifies registry key
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 25⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 15⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
-
-
-
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NGccowsY.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""2⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- Modifies registry key
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BUYMosos.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""1⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs2⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs2⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"1⤵
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d61⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PoAIUUgc.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""1⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OwgMgwAs.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""2⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs2⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs4⤵
-
-
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d61⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qAgwAEEY.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""1⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"1⤵
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d61⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HUEYEAAY.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""1⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"2⤵
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d63⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 14⤵
- Modifies registry key
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cYsIIwAY.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""4⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs5⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f4⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 24⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"4⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d61⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d61⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bWEsIEkU.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d62⤵
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ywsAMAEE.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""2⤵
- Modifies visibility of file extensions in Explorer
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"2⤵
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d61⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vqkYAkAU.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""2⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"4⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UkIAMYck.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""4⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f4⤵
- UAC bypass
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 24⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lqMwoAcw.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""5⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f5⤵
- Modifies registry key
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 25⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 15⤵
- Modifies registry key
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵
- Modifies visibility of file extensions in Explorer
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TmUAoYAY.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""5⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f5⤵
- UAC bypass
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 25⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 15⤵
- Modifies visibility of file extensions in Explorer
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 14⤵
- Modifies registry key
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d61⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SMwEwQwg.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""2⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"1⤵
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d62⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"3⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs4⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵
-
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"1⤵
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d61⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d61⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d61⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"2⤵
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d63⤵
-
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cCQYkoAU.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""1⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs2⤵
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d62⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"3⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d64⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oooQAEAg.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""5⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bycUYgkk.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""6⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f6⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 26⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 16⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"6⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 25⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 15⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"5⤵
- Modifies visibility of file extensions in Explorer
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zOYgoEAo.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LCgYkcMw.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs4⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵
- Modifies registry key
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lOkgcQcg.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵
- Modifies registry key
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵
- Modifies visibility of file extensions in Explorer
-
-
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d61⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"1⤵
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d62⤵
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"1⤵
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d62⤵
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PkocwAss.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""2⤵
- Checks whether UAC is enabled
- System policy modification
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
- UAC bypass
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d62⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"1⤵
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d62⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XkIkQQQc.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""3⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs4⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵
- Modifies registry key
-
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d61⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NssUoYcM.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies registry key
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d63⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d61⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VEkcMIEg.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""1⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs2⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵
- Modifies registry key
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d61⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wCoUMQwA.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""2⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iqgksoAo.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
- UAC bypass
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵
- Modifies visibility of file extensions in Explorer
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
- Modifies registry key
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
- Modifies visibility of file extensions in Explorer
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d61⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XsEcsocU.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""2⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d63⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CAUAkoIk.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d64⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"3⤵
- Checks whether UAC is enabled
- System policy modification
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d63⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"2⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ckUQEQkQ.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""2⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- UAC bypass
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\seQMgIwI.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""3⤵
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d64⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵
- Modifies registry key
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵
- Modifies registry key
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KaAcAggU.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dqwosggk.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""4⤵
- Checks whether UAC is enabled
- System policy modification
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jAUoMwQk.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""5⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f5⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 25⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f4⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs5⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 24⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 14⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵
- UAC bypass
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵
- Modifies registry key
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d63⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d61⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"2⤵
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d63⤵
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HsswQsUo.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""2⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"1⤵
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d62⤵
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UUEwMIwQ.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""1⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nOMYswws.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵
- UAC bypass
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵
- Modifies registry key
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d63⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"1⤵
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d62⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LoYkIIwQ.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵
- Modifies registry key
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"3⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d62⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yiMAEUcw.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
- UAC bypass
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f3⤵
- UAC bypass
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 23⤵
- Modifies registry key
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 13⤵
- Modifies visibility of file extensions in Explorer
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"3⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
-
-
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d61⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zkkIIsgQ.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""1⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\haUMIgoo.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""2⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
- Modifies registry key
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies visibility of file extensions in Explorer
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"2⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
- Modifies visibility of file extensions in Explorer
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"1⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- UAC bypass
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kMYkcQgc.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""1⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZKEAAsgI.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""1⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"1⤵
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d61⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- UAC bypass
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d61⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MIUEEEII.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""2⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
- Modifies registry key
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"2⤵
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
-
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d61⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NwUQEQcE.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""1⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zOkMssIc.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""1⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MAMkscwI.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""2⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
- UAC bypass
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"2⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵
- Modifies registry key
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d62⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d61⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yCgMMkoQ.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""1⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AMYckwEY.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""2⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- UAC bypass
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DKMUYAQg.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f4⤵
- UAC bypass
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 24⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 14⤵
- Modifies registry key
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"4⤵
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d63⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"1⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\amsIQYww.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""1⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d61⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"1⤵
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d61⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lAgAAMkY.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
- Modifies registry key
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
- Modifies visibility of file extensions in Explorer
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"2⤵
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs2⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DeYUMksk.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""1⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"1⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs2⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\seQoAcEI.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""1⤵
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d62⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵
- UAC bypass
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zOkcAIYg.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""1⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵
- UAC bypass
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵
- UAC bypass
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EiIccQIg.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""1⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mCAkMMAU.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""1⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LuMoQQkk.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rsgAUwsk.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- UAC bypass
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"2⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rkMsswMw.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""1⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵
- UAC bypass
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"1⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies visibility of file extensions in Explorer
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"2⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵
- Modifies visibility of file extensions in Explorer
-
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d62⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tagQsYcc.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""2⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies visibility of file extensions in Explorer
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"2⤵
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs2⤵
- Blocklisted process makes network request
-
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d61⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d61⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- UAC bypass
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d61⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dowEkoAc.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""1⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵
- UAC bypass
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"1⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d61⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vCIgwIAU.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""1⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵
- Modifies visibility of file extensions in Explorer
- UAC bypass
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
- UAC bypass
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- UAC bypass
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xEEkUsow.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""2⤵
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"2⤵
- UAC bypass
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d61⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nosIUccg.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""1⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tcocYUAg.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""2⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- UAC bypass
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
- Modifies visibility of file extensions in Explorer
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"1⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\askQYQYY.bat" "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exe""1⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f1⤵
- UAC bypass
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 21⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 11⤵
- Modifies visibility of file extensions in Explorer
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d61⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6"1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵
- Modifies visibility of file extensions in Explorer
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d61⤵
- UAC bypass
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- System policy modification
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d6.exeC:\Users\Admin\AppData\Local\Temp\3d2d0173e3f43615c98ad7c8d05e46d61⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
435KB
MD546ecb13bc952d6b09b7f9041b2f38e6c
SHA16813b58713a4ae5a121f08a859988fe4df489d6e
SHA25669119e0f9671e0bc200e949a4ddf7877194041a7e27ad44c4c97b722e9ae771b
SHA51260ecbe75c2a710ebfffac2274a6bc7fba9cd6808ae08571047eebb71fe3475792491d767de5f642b28779a8f87f8ff671011dabe3496147dd02ae5c9b190c5d6
-
Filesize
430KB
MD5a9c7d3ec0da8e08df458d984895283b8
SHA1cdd1e0c254c75ebe0cad905203406f078be0adbe
SHA25615c923fc0e21419975b6a3921a12451f4e30f76a073f8bf4bd21b2024bde6cd4
SHA51259e9777e5264815c9fef0ad4b83d9ba2c7e0294bbf4385fa0155e0684077b1b9c63c8ede668633e312c8ce098cae3b6bf6836d5e959af566953610daf214afeb
-
Filesize
2.0MB
MD5ae5a1c2f7277bff6663d91cab4a3e742
SHA19be442c7164509242dc5ca4b018f7af501ed9901
SHA2567b7f591f6e4dbce5570505e6d87a9e72b19d144f46ad309c57108e76b5b9c6e7
SHA51282be8e12b545b137d6bbe1c850ffb306f22b073a271565789acae2df8c00a86821c3692ccfc77eede484e2d2b1dd09533276441ac6ac2a37bcaca1355a2a1766
-
Filesize
4KB
MD51232aee9f3a8a4957dc2eafbabefca32
SHA144d02b24abbcc393cd1f4ab4173e442ede2b6f9f
SHA2561dd6b6b283844b4db4a673370fd745f9aa5f79718aef504eb546402ecca95f2c
SHA5120cc58a56f1ec7611f1a53c89b80957c44531af9fae47f77cbfa74a009d7358f70dacdb4c241304efdbe1ea83beb6b249f6bec852c5a8be8de79fc99a2a4f808f
-
Filesize
112B
MD5bae1095f340720d965898063fede1273
SHA1455d8a81818a7e82b1490c949b32fa7ff98d5210
SHA256ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a
SHA5124e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024
-
Filesize
434KB
MD537744bad8540275c754b14bf477d2955
SHA18f09f13abe4c4ea095c3431828ba65228be0d79d
SHA256542033d1223e5747c24e531b8770a47a2b0999bfb7ddf49270dea55cbe0b5fc5
SHA5123406787395d68f8113f3fbaa11a482d2fc53c1b0112aeeaad2bd87ffd1267dfba83ce14caccf9d47ed550a73ba47732d49200b970e027ad4bdd4a7550cd85872
-
Filesize
889KB
MD561d078dd8d05b2d0a80bd12d5beb4c4b
SHA1cd94e099ca466f360e9e8d75145face4bb60194a
SHA25625e071d6faf1161ea77b6ae0caa7b1e50daa18c286e5c49a39e504b31fccd2f0
SHA51218bf2654375858cc90faca716a07ddd6ce4424491b27c0977464b3f19f47b94431126b1309369e0511685c1c1948b9a49266fbde0567f63793b2f40310b39725
-
Filesize
674KB
MD513eb3b6de361c32744693e86f2f7820a
SHA1f24fe5283d54d6ff7e8bac9f97f0d742899018a3
SHA256e2460a24020f6c5ec8e8b0de8bb595a2a48a540d82f04a048d32009626876fb5
SHA5129d8d4ab48be11f0dc861dfd01e621c566cb1098bde5e16426ecf3ace2cdeca355081671da7b39ff37fb5a639c3d1210bb097dd7ba065da0713e16b7b5bc74e95
-
Filesize
441KB
MD584a11dfa95809805e055b22de7259879
SHA1636a90d3b44748d93ccad93f9e1d01ea17395a6d
SHA256f01d623a8bb5227a91cd08dd7beaeaddf76f4c66dfc87449deda930822730d3a
SHA51260c82eb7bcd822ce42fccb9d15f88002192852bb6974d724f919608fe9c5d70af43fbfea44bd167e5bd75747604cc320326a40825b5a9d75efd65b8cf46c5a25
-
Filesize
441KB
MD5cb69efbc3099f56ebe2446813719aa9d
SHA18f26d734934511058743ea6887282edd322bc51f
SHA256c7ae818377d55c45c20d9b237f99d3cddc2d42ecf01aef5e3d77b5200a7157b3
SHA51222447509db563ddf0a0cca59781eb87a4126dabe7a725e1ed704e13e86747ff052d7cd4b9cba0dd80deead58424558ff34971a0328bd3bdef29e853112002eec
-
Filesize
562KB
MD5ece7833f2f5a96f9b4183ca7e2340320
SHA1ff869d1bf44ac1dc242edabe77617106f3468794
SHA25697d0fc323dc7d26a23832666f13d31fb3e87aeb960eb1b308b93a27e88a2f6a0
SHA5129edcddfdcc1d3486c7bcaf107513357187b6183cb3e1baf18f1e80cc686a99cb58b0a1dffdd2843a55dfeb0c9a40148b3a02eba7a8ac773181de91ab993e906e
-
Filesize
19B
MD54afb5c4527091738faf9cd4addf9d34e
SHA1170ba9d866894c1b109b62649b1893eb90350459
SHA25659d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc
SHA51216d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5
-
Filesize
728KB
MD56e180faa06e26aa348f631365fb90211
SHA1d79caa4b0b2f1db1292d4ae4bdd87b6866d05d53
SHA256ceabe6e66a4ce7894e3b93e48d13effff4f4b189fbb43e38deccc77ae6bbb7fc
SHA51252b057bf9e0a5bf1a80bb747037c7873ba8a8442f2593d6e222ad61afda149d6b1067080cca06447682c067ade7db8f40adaa89c52a997beaef2d8c838fb282d
-
Filesize
444KB
MD5633f8c27144f2fad25d1eeb9e039f34b
SHA146bc8c546b9256c5732abae95ce11e3a244f4ad8
SHA256f6b70636a751b6a1dbde445103b3a50921fb86787d2002b1736beb907efd8093
SHA512ee04d5b1ca31597d79e68c508dbded25b1723174c812c213d91309287e2db84b1971423af5f780b226a22e9da61c26a56861329c6f3908819ce574e1a1c791b6
-
Filesize
693KB
MD541f3bf742d7cd8b20dec3f50b4e7468b
SHA1d2b7be986d1bde88e7b93acc472b1397688cf67f
SHA2562042aa8a062e0d2cc8095119a6bef758c14907dd216af1c9f1ca22ccf794977f
SHA512ffdfe5627aa0ba5f1f23a56dcf5bcdfad01574885c6e8da5baf845853ba5c48591c514e09133977ddd800ae13bfab7e2802fc6c818c121d0c0d257f72a47e0ed
-
Filesize
440KB
MD54ca1716379931e27d131e3413f9c25e5
SHA16621821e66757c8658dd21899001793e8091af01
SHA256f36bc8ab4ea42b2c34308581ef58c828156fc4f96ef18735cc4e71d55260517c
SHA512580876ab77a96c9d583e24040857565ec82e82373bc5ee8294d5fd826000e075c3a516c1cd5df13cf80e3a506a8042bfbf270abdd5fc1d9195a1e16da4c16ec3
-
Filesize
437KB
MD57df5800c50803dafdbefdf27c0081d9a
SHA18b79cc248cc3161cc21b6c2ee63316fe4cf3bc10
SHA25616280de8899b28a52c122deb54b42954968eb8e06c9589acc2aa0f863a0418fe
SHA5126600cf5134495d438dfeff4ad20ea7787c9026e019babf0d41d58654854d1a96d42c891ab095744b408dbe7bcef6d9f65b7aec785262a7336b1729051007be9b
-
Filesize
431KB
MD50aaf42fd3c7e4756a7ae80198889c61d
SHA184c4f32925c67543aeb80bf565b214655eeb7f9b
SHA256e3b3fb87cc8679b940b3e98d90d90efcebca88a07d0866919cd114a1275ed564
SHA5121e918b26f230486bc5f7d2ba8f0f86db988a0f7c768b0c6d923cff500f558b17522936716544bc51eea17a56d276584451f7d6f4255c0de12abaf16de5af4c62
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
444KB
-
Filesize
444KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB
-
Filesize
448KB