Analysis
-
max time kernel
88s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
-
submitted
30/04/2024, 02:23
General
-
Target
Seven.exe
-
Size
139KB
-
MD5
350273e0d2e8a9ba5e37b791016112a0
-
SHA1
5bfb616dd46f67d1dcbbff55ca5917ffc1ec8b71
-
SHA256
27297bf8139bea755e9297e7e1489d827d1ee09a8e1d94a3ef96a2edb2de61ba
-
SHA512
b1e768524b4e840bd5f4163205122dd1725583245d8bfd5cbd89eb21a5fb9d33aff1b7b0ca42132b7dae469e025068ae663b3b02ad59927a558dc340141ec91b
-
SSDEEP
3072:miS4omp03WQthI/9S3BZi08iRQ1G78IVn27bSfcJd8ltw:miS4ompB9S3BZi0a1G78IVhcTct
Score
10/10
Malware Config
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
-
UAC bypass 3 TTPs 2 IoCs
-
Renames multiple (265) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Blocks application from running via registry modification 1 IoCs
Adds application to list of disallowed applications.
-
Disables RegEdit via registry modification 1 IoCs
-
Disables Task Manager via registry modification
-
Disables cmd.exe use via registry modification 1 IoCs
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 64 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Drops desktop.ini file(s) 7 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
-
Drops file in System32 directory 29 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 3 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Seven.exe"C:\Users\Admin\AppData\Local\Temp\Seven.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.exe C:\Users\Admin\AppData\Local\Temp\Winhost.exe2⤵
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.exe C:\Windows\System32\Winhost.exe2⤵
- Drops file in System32 directory
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.exe C:\Users\Public\Documents\Winhost.exe2⤵
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C attrib +h C:\Windows\System32\Winhost.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\attrib.exeattrib +h C:\Windows\System32\Winhost.exe3⤵
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C attrib +h C:\Users\Public\Documents\Winhost.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\attrib.exeattrib +h C:\Users\Public\Documents\Winhost.exe3⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.dll C:\Windows\System32\Seven.dll2⤵
- Drops file in System32 directory
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.dll C:\Users\Public\Documents\Seven.dll2⤵
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.runtimeconfig.json C:\Windows\System32\Seven.runtimeconfig.json2⤵
- Drops file in System32 directory
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.runtimeconfig.json C:\Users\Public\Documents\Seven.runtimeconfig.json2⤵
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C attrib +h C:\Windows\System32\Seven.dll2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\attrib.exeattrib +h C:\Windows\System32\Seven.dll3⤵
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C attrib +h C:\Windows\System32\Seven.runtimeconfig.json2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\attrib.exeattrib +h C:\Windows\System32\Seven.runtimeconfig.json3⤵
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C attrib +h C:\Users\Public\Documents\Seven.dll2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\attrib.exeattrib +h C:\Users\Public\Documents\Seven.dll3⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C attrib +h C:\Users\Public\Documents\Seven.runtimeconfig.json2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\attrib.exeattrib +h C:\Users\Public\Documents\Seven.runtimeconfig.json3⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C start C:\Users\Admin\AppData\Local\Temp\Winhost.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exeC:\Users\Admin\AppData\Local\Temp\Winhost.exe3⤵
- Deletes itself
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"4⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"14⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"15⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"16⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"19⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"22⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"23⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"24⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"25⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"27⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"29⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"30⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"31⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"32⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"33⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"34⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"35⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"36⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"37⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"38⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"39⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"40⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"41⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"42⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"43⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"44⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"45⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"46⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"47⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"48⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"49⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"50⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"51⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"52⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"53⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"54⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"55⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"56⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"57⤵
- Executes dropped EXE
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV158⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"58⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"59⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"60⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"61⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"62⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"63⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"64⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"65⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"66⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"67⤵
- Checks computer location settings
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV168⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"68⤵
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"69⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV170⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"70⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"71⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"72⤵
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"73⤵
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"74⤵
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"75⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"76⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"77⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"78⤵
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"79⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV180⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"80⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"81⤵
- Checks computer location settings
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV182⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"82⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"83⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"84⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"85⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"86⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"87⤵
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"88⤵
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"89⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"90⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"91⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"92⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"93⤵
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"94⤵
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"95⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"96⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"97⤵
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"98⤵
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"99⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"100⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"101⤵
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"102⤵
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"103⤵
- Checks computer location settings
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1104⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"104⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"105⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"106⤵
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"107⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"108⤵
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"109⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"110⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"111⤵
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"112⤵
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"113⤵
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"114⤵
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"115⤵
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"116⤵
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"117⤵
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"118⤵
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"119⤵
-
C:\Users\Admin\AppData\Local\Temp\Winhost.exe"C:\Users\Admin\AppData\Local\Temp\Winhost.exe"120⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-