Analysis
-
max time kernel
150s -
max time network
70s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
28/03/2023, 05:50
Static task
static1
Behavioral task
behavioral1
Sample
1eac00778ee5f645087134c29f1d96d2.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
1eac00778ee5f645087134c29f1d96d2.exe
Resource
win10v2004-20230220-en
General
-
Target
1eac00778ee5f645087134c29f1d96d2.exe
-
Size
244KB
-
MD5
1eac00778ee5f645087134c29f1d96d2
-
SHA1
b7f10000b7cf33e6ebeeb7688b907015959a1b50
-
SHA256
e937cf5b0039970669f96e6a11a769472e7e8fee28816d3fc6f39c82da3a7069
-
SHA512
21c0b4534ea0723f7b6e807642bb730020e6f455bb1981793a4b188480ae7ec7def361c4a289bf8e79b59d44af59e8fb4d5935e24751ea07c7618e25b5dab6ab
-
SSDEEP
3072:5KfjrSbQaCTFkXm6/j3rJ0EDgB+GVmK8GqsgjaOpmCGf9vheAtv/y7hD+YSzdUKY:Eu8HFkXmsVUVmMJtMy4MPsXFPyMzxCV8
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Executes dropped EXE 2 IoCs
pid Process 1076 RUoQwEso.exe 1704 DeQYwYcQ.exe -
Loads dropped DLL 20 IoCs
pid Process 1756 1eac00778ee5f645087134c29f1d96d2.exe 1756 1eac00778ee5f645087134c29f1d96d2.exe 1756 1eac00778ee5f645087134c29f1d96d2.exe 1756 1eac00778ee5f645087134c29f1d96d2.exe 1076 RUoQwEso.exe 1076 RUoQwEso.exe 1076 RUoQwEso.exe 1076 RUoQwEso.exe 1076 RUoQwEso.exe 1076 RUoQwEso.exe 1076 RUoQwEso.exe 1076 RUoQwEso.exe 1076 RUoQwEso.exe 1076 RUoQwEso.exe 1076 RUoQwEso.exe 1076 RUoQwEso.exe 1076 RUoQwEso.exe 1076 RUoQwEso.exe 1076 RUoQwEso.exe 1076 RUoQwEso.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run\RUoQwEso.exe = "C:\\Users\\Admin\\bIUcIgEw\\RUoQwEso.exe" 1eac00778ee5f645087134c29f1d96d2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DeQYwYcQ.exe = "C:\\ProgramData\\qiwQscQc\\DeQYwYcQ.exe" 1eac00778ee5f645087134c29f1d96d2.exe Set value (str) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run\RUoQwEso.exe = "C:\\Users\\Admin\\bIUcIgEw\\RUoQwEso.exe" RUoQwEso.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DeQYwYcQ.exe = "C:\\ProgramData\\qiwQscQc\\DeQYwYcQ.exe" DeQYwYcQ.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry key 1 TTPs 64 IoCs
pid Process 680 reg.exe 1972 reg.exe 832 reg.exe 1976 reg.exe 1188 reg.exe 1612 reg.exe 1448 reg.exe 1976 reg.exe 560 reg.exe 1576 reg.exe 1992 reg.exe 1400 reg.exe 2012 reg.exe 384 reg.exe 568 reg.exe 564 reg.exe 956 reg.exe 560 reg.exe 1904 reg.exe 1580 reg.exe 1672 reg.exe 1956 reg.exe 1468 reg.exe 1684 reg.exe 796 reg.exe 1532 reg.exe 384 reg.exe 1184 reg.exe 1960 reg.exe 1468 reg.exe 2020 reg.exe 1976 reg.exe 956 reg.exe 1488 reg.exe 564 reg.exe 1692 reg.exe 1104 reg.exe 1684 reg.exe 1484 reg.exe 832 reg.exe 1988 reg.exe 1468 Process not Found 2020 reg.exe 796 reg.exe 1792 reg.exe 1696 reg.exe 1708 reg.exe 1956 Process not Found 1484 reg.exe 1488 reg.exe 1620 reg.exe 1064 reg.exe 1988 reg.exe 1968 reg.exe 696 Process not Found 832 Process not Found 1436 reg.exe 920 reg.exe 1764 reg.exe 1988 reg.exe 1468 reg.exe 816 reg.exe 680 reg.exe 1988 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1756 1eac00778ee5f645087134c29f1d96d2.exe 1756 1eac00778ee5f645087134c29f1d96d2.exe 1484 1eac00778ee5f645087134c29f1d96d2.exe 1484 1eac00778ee5f645087134c29f1d96d2.exe 1296 1eac00778ee5f645087134c29f1d96d2.exe 1296 1eac00778ee5f645087134c29f1d96d2.exe 1692 1eac00778ee5f645087134c29f1d96d2.exe 1692 1eac00778ee5f645087134c29f1d96d2.exe 668 1eac00778ee5f645087134c29f1d96d2.exe 668 1eac00778ee5f645087134c29f1d96d2.exe 1532 1eac00778ee5f645087134c29f1d96d2.exe 1532 1eac00778ee5f645087134c29f1d96d2.exe 272 1eac00778ee5f645087134c29f1d96d2.exe 272 1eac00778ee5f645087134c29f1d96d2.exe 588 1eac00778ee5f645087134c29f1d96d2.exe 588 1eac00778ee5f645087134c29f1d96d2.exe 804 1eac00778ee5f645087134c29f1d96d2.exe 804 1eac00778ee5f645087134c29f1d96d2.exe 1500 1eac00778ee5f645087134c29f1d96d2.exe 1500 1eac00778ee5f645087134c29f1d96d2.exe 832 1eac00778ee5f645087134c29f1d96d2.exe 832 1eac00778ee5f645087134c29f1d96d2.exe 1492 1eac00778ee5f645087134c29f1d96d2.exe 1492 1eac00778ee5f645087134c29f1d96d2.exe 1956 1eac00778ee5f645087134c29f1d96d2.exe 1956 1eac00778ee5f645087134c29f1d96d2.exe 832 1eac00778ee5f645087134c29f1d96d2.exe 832 1eac00778ee5f645087134c29f1d96d2.exe 1484 1eac00778ee5f645087134c29f1d96d2.exe 1484 1eac00778ee5f645087134c29f1d96d2.exe 556 1eac00778ee5f645087134c29f1d96d2.exe 556 1eac00778ee5f645087134c29f1d96d2.exe 384 1eac00778ee5f645087134c29f1d96d2.exe 384 1eac00778ee5f645087134c29f1d96d2.exe 1116 1eac00778ee5f645087134c29f1d96d2.exe 1116 1eac00778ee5f645087134c29f1d96d2.exe 1500 1eac00778ee5f645087134c29f1d96d2.exe 1500 1eac00778ee5f645087134c29f1d96d2.exe 916 1eac00778ee5f645087134c29f1d96d2.exe 916 1eac00778ee5f645087134c29f1d96d2.exe 1692 1eac00778ee5f645087134c29f1d96d2.exe 1692 1eac00778ee5f645087134c29f1d96d2.exe 1792 1eac00778ee5f645087134c29f1d96d2.exe 1792 1eac00778ee5f645087134c29f1d96d2.exe 1532 1eac00778ee5f645087134c29f1d96d2.exe 1532 1eac00778ee5f645087134c29f1d96d2.exe 1404 1eac00778ee5f645087134c29f1d96d2.exe 1404 1eac00778ee5f645087134c29f1d96d2.exe 1524 1eac00778ee5f645087134c29f1d96d2.exe 1524 1eac00778ee5f645087134c29f1d96d2.exe 884 1eac00778ee5f645087134c29f1d96d2.exe 884 1eac00778ee5f645087134c29f1d96d2.exe 1720 1eac00778ee5f645087134c29f1d96d2.exe 1720 1eac00778ee5f645087134c29f1d96d2.exe 692 1eac00778ee5f645087134c29f1d96d2.exe 692 1eac00778ee5f645087134c29f1d96d2.exe 1448 1eac00778ee5f645087134c29f1d96d2.exe 1448 1eac00778ee5f645087134c29f1d96d2.exe 1968 1eac00778ee5f645087134c29f1d96d2.exe 1968 1eac00778ee5f645087134c29f1d96d2.exe 1576 1eac00778ee5f645087134c29f1d96d2.exe 1576 1eac00778ee5f645087134c29f1d96d2.exe 1988 1eac00778ee5f645087134c29f1d96d2.exe 1988 1eac00778ee5f645087134c29f1d96d2.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1756 wrote to memory of 1076 1756 1eac00778ee5f645087134c29f1d96d2.exe 28 PID 1756 wrote to memory of 1076 1756 1eac00778ee5f645087134c29f1d96d2.exe 28 PID 1756 wrote to memory of 1076 1756 1eac00778ee5f645087134c29f1d96d2.exe 28 PID 1756 wrote to memory of 1076 1756 1eac00778ee5f645087134c29f1d96d2.exe 28 PID 1756 wrote to memory of 1704 1756 1eac00778ee5f645087134c29f1d96d2.exe 29 PID 1756 wrote to memory of 1704 1756 1eac00778ee5f645087134c29f1d96d2.exe 29 PID 1756 wrote to memory of 1704 1756 1eac00778ee5f645087134c29f1d96d2.exe 29 PID 1756 wrote to memory of 1704 1756 1eac00778ee5f645087134c29f1d96d2.exe 29 PID 1756 wrote to memory of 588 1756 1eac00778ee5f645087134c29f1d96d2.exe 30 PID 1756 wrote to memory of 588 1756 1eac00778ee5f645087134c29f1d96d2.exe 30 PID 1756 wrote to memory of 588 1756 1eac00778ee5f645087134c29f1d96d2.exe 30 PID 1756 wrote to memory of 588 1756 1eac00778ee5f645087134c29f1d96d2.exe 30 PID 588 wrote to memory of 1484 588 cmd.exe 32 PID 588 wrote to memory of 1484 588 cmd.exe 32 PID 588 wrote to memory of 1484 588 cmd.exe 32 PID 588 wrote to memory of 1484 588 cmd.exe 32 PID 1756 wrote to memory of 1536 1756 1eac00778ee5f645087134c29f1d96d2.exe 33 PID 1756 wrote to memory of 1536 1756 1eac00778ee5f645087134c29f1d96d2.exe 33 PID 1756 wrote to memory of 1536 1756 1eac00778ee5f645087134c29f1d96d2.exe 33 PID 1756 wrote to memory of 1536 1756 1eac00778ee5f645087134c29f1d96d2.exe 33 PID 1756 wrote to memory of 1388 1756 1eac00778ee5f645087134c29f1d96d2.exe 35 PID 1756 wrote to memory of 1388 1756 1eac00778ee5f645087134c29f1d96d2.exe 35 PID 1756 wrote to memory of 1388 1756 1eac00778ee5f645087134c29f1d96d2.exe 35 PID 1756 wrote to memory of 1388 1756 1eac00778ee5f645087134c29f1d96d2.exe 35 PID 1756 wrote to memory of 832 1756 1eac00778ee5f645087134c29f1d96d2.exe 36 PID 1756 wrote to memory of 832 1756 1eac00778ee5f645087134c29f1d96d2.exe 36 PID 1756 wrote to memory of 832 1756 1eac00778ee5f645087134c29f1d96d2.exe 36 PID 1756 wrote to memory of 832 1756 1eac00778ee5f645087134c29f1d96d2.exe 36 PID 1756 wrote to memory of 1528 1756 1eac00778ee5f645087134c29f1d96d2.exe 39 PID 1756 wrote to memory of 1528 1756 1eac00778ee5f645087134c29f1d96d2.exe 39 PID 1756 wrote to memory of 1528 1756 1eac00778ee5f645087134c29f1d96d2.exe 39 PID 1756 wrote to memory of 1528 1756 1eac00778ee5f645087134c29f1d96d2.exe 39 PID 1528 wrote to memory of 1280 1528 cmd.exe 41 PID 1528 wrote to memory of 1280 1528 cmd.exe 41 PID 1528 wrote to memory of 1280 1528 cmd.exe 41 PID 1528 wrote to memory of 1280 1528 cmd.exe 41 PID 1484 wrote to memory of 1556 1484 1eac00778ee5f645087134c29f1d96d2.exe 42 PID 1484 wrote to memory of 1556 1484 1eac00778ee5f645087134c29f1d96d2.exe 42 PID 1484 wrote to memory of 1556 1484 1eac00778ee5f645087134c29f1d96d2.exe 42 PID 1484 wrote to memory of 1556 1484 1eac00778ee5f645087134c29f1d96d2.exe 42 PID 1556 wrote to memory of 1296 1556 cmd.exe 44 PID 1556 wrote to memory of 1296 1556 cmd.exe 44 PID 1556 wrote to memory of 1296 1556 cmd.exe 44 PID 1556 wrote to memory of 1296 1556 cmd.exe 44 PID 1484 wrote to memory of 432 1484 1eac00778ee5f645087134c29f1d96d2.exe 45 PID 1484 wrote to memory of 432 1484 1eac00778ee5f645087134c29f1d96d2.exe 45 PID 1484 wrote to memory of 432 1484 1eac00778ee5f645087134c29f1d96d2.exe 45 PID 1484 wrote to memory of 432 1484 1eac00778ee5f645087134c29f1d96d2.exe 45 PID 1484 wrote to memory of 1204 1484 1eac00778ee5f645087134c29f1d96d2.exe 47 PID 1484 wrote to memory of 1204 1484 1eac00778ee5f645087134c29f1d96d2.exe 47 PID 1484 wrote to memory of 1204 1484 1eac00778ee5f645087134c29f1d96d2.exe 47 PID 1484 wrote to memory of 1204 1484 1eac00778ee5f645087134c29f1d96d2.exe 47 PID 1484 wrote to memory of 1792 1484 1eac00778ee5f645087134c29f1d96d2.exe 48 PID 1484 wrote to memory of 1792 1484 1eac00778ee5f645087134c29f1d96d2.exe 48 PID 1484 wrote to memory of 1792 1484 1eac00778ee5f645087134c29f1d96d2.exe 48 PID 1484 wrote to memory of 1792 1484 1eac00778ee5f645087134c29f1d96d2.exe 48 PID 1484 wrote to memory of 796 1484 1eac00778ee5f645087134c29f1d96d2.exe 51 PID 1484 wrote to memory of 796 1484 1eac00778ee5f645087134c29f1d96d2.exe 51 PID 1484 wrote to memory of 796 1484 1eac00778ee5f645087134c29f1d96d2.exe 51 PID 1484 wrote to memory of 796 1484 1eac00778ee5f645087134c29f1d96d2.exe 51 PID 796 wrote to memory of 1196 796 cmd.exe 53 PID 796 wrote to memory of 1196 796 cmd.exe 53 PID 796 wrote to memory of 1196 796 cmd.exe 53 PID 796 wrote to memory of 1196 796 cmd.exe 53
Processes
-
C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2.exe"C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Users\Admin\bIUcIgEw\RUoQwEso.exe"C:\Users\Admin\bIUcIgEw\RUoQwEso.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1076
-
-
C:\ProgramData\qiwQscQc\DeQYwYcQ.exe"C:\ProgramData\qiwQscQc\DeQYwYcQ.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1704
-
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2"2⤵
- Suspicious use of WriteProcessMemory
PID:588 -
C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2.exeC:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d23⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2"4⤵
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2.exeC:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d25⤵
- Suspicious behavior: EnumeratesProcesses
PID:1296 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2"6⤵PID:1612
-
C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2.exeC:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d27⤵
- Suspicious behavior: EnumeratesProcesses
PID:1692 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2"8⤵PID:1992
-
C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2.exeC:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d29⤵
- Suspicious behavior: EnumeratesProcesses
PID:668 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2"10⤵PID:832
-
C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2.exeC:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d211⤵
- Suspicious behavior: EnumeratesProcesses
PID:1532 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2"12⤵PID:432
-
C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2.exeC:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d213⤵
- Suspicious behavior: EnumeratesProcesses
PID:272 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2"14⤵PID:276
-
C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2.exeC:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d215⤵
- Suspicious behavior: EnumeratesProcesses
PID:588 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2"16⤵PID:1264
-
C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2.exeC:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d217⤵
- Suspicious behavior: EnumeratesProcesses
PID:804 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2"18⤵PID:432
-
C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2.exeC:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d219⤵
- Suspicious behavior: EnumeratesProcesses
PID:1500 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2"20⤵PID:1524
-
C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2.exeC:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d221⤵
- Suspicious behavior: EnumeratesProcesses
PID:832 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2"22⤵PID:1732
-
C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2.exeC:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d223⤵
- Suspicious behavior: EnumeratesProcesses
PID:1492 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2"24⤵PID:1064
-
C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2.exeC:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d225⤵
- Suspicious behavior: EnumeratesProcesses
PID:1956 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2"26⤵PID:1528
-
C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2.exeC:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d227⤵
- Suspicious behavior: EnumeratesProcesses
PID:832 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2"28⤵PID:1268
-
C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2.exeC:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d229⤵
- Suspicious behavior: EnumeratesProcesses
PID:1484 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2"30⤵PID:1500
-
C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2.exeC:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d231⤵
- Suspicious behavior: EnumeratesProcesses
PID:556 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2"32⤵PID:832
-
C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2.exeC:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d233⤵
- Suspicious behavior: EnumeratesProcesses
PID:384 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2"34⤵PID:1448
-
C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2.exeC:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d235⤵
- Suspicious behavior: EnumeratesProcesses
PID:1116 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2"36⤵PID:1416
-
C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2.exeC:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d237⤵
- Suspicious behavior: EnumeratesProcesses
PID:1500 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2"38⤵PID:560
-
C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2.exeC:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d239⤵
- Suspicious behavior: EnumeratesProcesses
PID:916 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2"40⤵PID:1928
-
C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2.exeC:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d241⤵
- Suspicious behavior: EnumeratesProcesses
PID:1692 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2"42⤵PID:1684
-
C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2.exeC:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d243⤵
- Suspicious behavior: EnumeratesProcesses
PID:1792 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2"44⤵PID:1060
-
C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2.exeC:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d245⤵
- Suspicious behavior: EnumeratesProcesses
PID:1532 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2"46⤵PID:892
-
C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2.exeC:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d247⤵
- Suspicious behavior: EnumeratesProcesses
PID:1404 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2"48⤵PID:512
-
C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2.exeC:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d249⤵
- Suspicious behavior: EnumeratesProcesses
PID:1524 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2"50⤵PID:2004
-
C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2.exeC:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d251⤵
- Suspicious behavior: EnumeratesProcesses
PID:884 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2"52⤵PID:1900
-
C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2.exeC:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d253⤵
- Suspicious behavior: EnumeratesProcesses
PID:1720 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2"54⤵PID:1584
-
C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2.exeC:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d255⤵
- Suspicious behavior: EnumeratesProcesses
PID:692 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2"56⤵PID:1484
-
C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2.exeC:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d257⤵
- Suspicious behavior: EnumeratesProcesses
PID:1448 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2"58⤵PID:1116
-
C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2.exeC:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d259⤵
- Suspicious behavior: EnumeratesProcesses
PID:1968 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2"60⤵PID:1708
-
C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2.exeC:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d261⤵
- Suspicious behavior: EnumeratesProcesses
PID:1576 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2"62⤵PID:680
-
C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2.exeC:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d263⤵
- Suspicious behavior: EnumeratesProcesses
PID:1988 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2"64⤵PID:1116
-
C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2.exeC:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d265⤵PID:588
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2"66⤵PID:852
-
C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2.exeC:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d267⤵PID:1164
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2"68⤵PID:560
-
C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2.exeC:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d269⤵PID:832
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2"70⤵PID:1156
-
C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2.exeC:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d271⤵PID:1748
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2"72⤵PID:1456
-
C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2.exeC:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d273⤵PID:1188
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2"74⤵PID:1260
-
C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2.exeC:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d275⤵PID:1900
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2"76⤵PID:1692
-
C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2.exeC:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d277⤵PID:1556
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2"78⤵PID:828
-
C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2.exeC:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d279⤵PID:1140
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2"80⤵PID:1836
-
C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2.exeC:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d281⤵PID:1188
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2"82⤵PID:632
-
C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2.exeC:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d283⤵PID:1580
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2"84⤵PID:1584
-
C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2.exeC:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d285⤵PID:1576
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2"86⤵PID:764
-
C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2.exeC:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d287⤵PID:1280
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2"88⤵PID:920
-
C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2.exeC:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d289⤵PID:1992
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2"90⤵PID:984
-
C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2.exeC:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d291⤵PID:316
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2"92⤵PID:1528
-
C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2.exeC:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d293⤵PID:1328
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2"94⤵PID:1260
-
C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2.exeC:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d295⤵PID:1828
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2"96⤵PID:1572
-
C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2.exeC:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d297⤵PID:1992
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2"98⤵PID:520
-
C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2.exeC:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d299⤵PID:1608
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2"100⤵PID:920
-
C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2.exeC:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2101⤵PID:976
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2"102⤵PID:1684
-
C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2.exeC:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2103⤵PID:1500
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2"104⤵PID:884
-
C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2.exeC:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2105⤵PID:2004
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2"106⤵PID:2040
-
C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2.exeC:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2107⤵PID:632
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2"108⤵PID:1836
-
C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2.exeC:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2109⤵PID:384
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2"110⤵PID:1652
-
C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2.exeC:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2111⤵PID:1684
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2"112⤵PID:1612
-
C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2.exeC:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2113⤵PID:1584
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2"114⤵PID:1928
-
C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2.exeC:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2115⤵PID:1140
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2"116⤵PID:1652
-
C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2.exeC:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2117⤵PID:1828
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2"118⤵PID:804
-
C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2.exeC:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2119⤵PID:1524
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2"120⤵PID:272
-
C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2.exeC:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2121⤵PID:1708
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1eac00778ee5f645087134c29f1d96d2"122⤵PID:1968
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-