Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
11-06-2024 01:33
Static task
static1
Behavioral task
behavioral1
Sample
a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe
Resource
win10v2004-20240226-en
General
-
Target
a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe
-
Size
737KB
-
MD5
80848c2305505f287c59d4784d23a76e
-
SHA1
e6907dc0c0164f3a291d4c078ab00f933d7f6d94
-
SHA256
a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51
-
SHA512
615a9d59367b50534a8243e64e49f9e201f54d9d9be5c793ee0b34a3bde5b5192496a04bb021d1face01077c1a3db4e8a7cde252bd16e329bcbf3bc9032011f8
-
SSDEEP
3072:qV6ZG9Gb1M9gi+B3kzQOg0eUizUj8zF0OGqTaTCP6/t8dNYVktaxbcLkYiQiiXmY:qV6o9GJM9gi+U8OczFXPTyCDgTIAg
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found -
Executes dropped EXE 2 IoCs
pid Process 2064 tUcgcAkk.exe 2252 KigoUQcE.exe -
Loads dropped DLL 24 IoCs
pid Process 1804 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 1804 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 1804 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 1804 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 2064 tUcgcAkk.exe 2064 tUcgcAkk.exe 2064 tUcgcAkk.exe 2064 tUcgcAkk.exe 2064 tUcgcAkk.exe 2064 tUcgcAkk.exe 2064 tUcgcAkk.exe 2064 tUcgcAkk.exe 2064 tUcgcAkk.exe 2064 tUcgcAkk.exe 2064 tUcgcAkk.exe 2064 tUcgcAkk.exe 2064 tUcgcAkk.exe 2064 tUcgcAkk.exe 2064 tUcgcAkk.exe 2064 tUcgcAkk.exe 952 WerFault.exe 952 WerFault.exe 952 WerFault.exe 952 WerFault.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\tUcgcAkk.exe = "C:\\Users\\Admin\\nCkgkscs\\tUcgcAkk.exe" a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\KigoUQcE.exe = "C:\\ProgramData\\VcswUYYE\\KigoUQcE.exe" a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\tUcgcAkk.exe = "C:\\Users\\Admin\\nCkgkscs\\tUcgcAkk.exe" tUcgcAkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\KigoUQcE.exe = "C:\\ProgramData\\VcswUYYE\\KigoUQcE.exe" KigoUQcE.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 952 2064 WerFault.exe 28 -
Modifies registry key 1 TTPs 64 IoCs
pid Process 2084 Process not Found 1808 Process not Found 2176 Process not Found 2640 reg.exe 2704 Process not Found 1360 Process not Found 1044 Process not Found 700 Process not Found 2160 Process not Found 2108 Process not Found 2828 Process not Found 1728 Process not Found 920 reg.exe 2104 Process not Found 2792 Process not Found 2308 Process not Found 2348 Process not Found 792 Process not Found 1672 Process not Found 888 reg.exe 2228 reg.exe 2256 Process not Found 2704 reg.exe 3056 Process not Found 2980 Process not Found 540 reg.exe 1616 Process not Found 2760 Process not Found 2532 Process not Found 2360 Process not Found 2568 Process not Found 2584 Process not Found 1968 reg.exe 560 Process not Found 2792 Process not Found 2256 Process not Found 2124 Process not Found 1820 reg.exe 2044 reg.exe 2100 reg.exe 2816 Process not Found 988 reg.exe 652 Process not Found 2820 Process not Found 1756 Process not Found 2100 Process not Found 2956 reg.exe 2228 Process not Found 3060 Process not Found 1676 Process not Found 2544 reg.exe 628 reg.exe 1720 reg.exe 2972 Process not Found 1416 Process not Found 1964 reg.exe 1992 Process not Found 832 Process not Found 1036 Process not Found 2644 Process not Found 1984 Process not Found 1976 Process not Found 792 reg.exe 2660 Process not Found -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1804 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 1804 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 2660 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 2660 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 1644 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 1644 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 1416 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 1416 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 1680 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 1680 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 1924 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 1924 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 3052 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 3052 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 1116 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 1116 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 2960 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 2960 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 2536 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 2536 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 2052 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 2052 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 2300 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 2300 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 2120 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 2120 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 1784 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 1784 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 2956 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 2956 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 2168 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 2168 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 292 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 292 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 1920 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 1920 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 1556 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 1556 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 652 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 652 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 2204 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 2204 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 3000 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 3000 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 1652 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 1652 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 628 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 628 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 2020 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 2020 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 868 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 868 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 340 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 340 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 2524 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 2524 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 1056 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 1056 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 1152 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 1152 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 1864 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 1864 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 2220 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 2220 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1804 wrote to memory of 2064 1804 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 28 PID 1804 wrote to memory of 2064 1804 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 28 PID 1804 wrote to memory of 2064 1804 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 28 PID 1804 wrote to memory of 2064 1804 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 28 PID 1804 wrote to memory of 2252 1804 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 29 PID 1804 wrote to memory of 2252 1804 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 29 PID 1804 wrote to memory of 2252 1804 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 29 PID 1804 wrote to memory of 2252 1804 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 29 PID 1804 wrote to memory of 2688 1804 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 30 PID 1804 wrote to memory of 2688 1804 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 30 PID 1804 wrote to memory of 2688 1804 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 30 PID 1804 wrote to memory of 2688 1804 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 30 PID 2688 wrote to memory of 2660 2688 cmd.exe 32 PID 2688 wrote to memory of 2660 2688 cmd.exe 32 PID 2688 wrote to memory of 2660 2688 cmd.exe 32 PID 2688 wrote to memory of 2660 2688 cmd.exe 32 PID 1804 wrote to memory of 1320 1804 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 33 PID 1804 wrote to memory of 1320 1804 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 33 PID 1804 wrote to memory of 1320 1804 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 33 PID 1804 wrote to memory of 1320 1804 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 33 PID 1804 wrote to memory of 2868 1804 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 34 PID 1804 wrote to memory of 2868 1804 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 34 PID 1804 wrote to memory of 2868 1804 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 34 PID 1804 wrote to memory of 2868 1804 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 34 PID 1804 wrote to memory of 1976 1804 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 36 PID 1804 wrote to memory of 1976 1804 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 36 PID 1804 wrote to memory of 1976 1804 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 36 PID 1804 wrote to memory of 1976 1804 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 36 PID 1804 wrote to memory of 2496 1804 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 38 PID 1804 wrote to memory of 2496 1804 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 38 PID 1804 wrote to memory of 2496 1804 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 38 PID 1804 wrote to memory of 2496 1804 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 38 PID 2496 wrote to memory of 2532 2496 cmd.exe 41 PID 2496 wrote to memory of 2532 2496 cmd.exe 41 PID 2496 wrote to memory of 2532 2496 cmd.exe 41 PID 2496 wrote to memory of 2532 2496 cmd.exe 41 PID 2660 wrote to memory of 2988 2660 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 42 PID 2660 wrote to memory of 2988 2660 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 42 PID 2660 wrote to memory of 2988 2660 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 42 PID 2660 wrote to memory of 2988 2660 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 42 PID 2988 wrote to memory of 1644 2988 cmd.exe 44 PID 2988 wrote to memory of 1644 2988 cmd.exe 44 PID 2988 wrote to memory of 1644 2988 cmd.exe 44 PID 2988 wrote to memory of 1644 2988 cmd.exe 44 PID 2660 wrote to memory of 2568 2660 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 45 PID 2660 wrote to memory of 2568 2660 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 45 PID 2660 wrote to memory of 2568 2660 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 45 PID 2660 wrote to memory of 2568 2660 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 45 PID 2660 wrote to memory of 2808 2660 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 46 PID 2660 wrote to memory of 2808 2660 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 46 PID 2660 wrote to memory of 2808 2660 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 46 PID 2660 wrote to memory of 2808 2660 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 46 PID 2660 wrote to memory of 2832 2660 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 48 PID 2660 wrote to memory of 2832 2660 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 48 PID 2660 wrote to memory of 2832 2660 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 48 PID 2660 wrote to memory of 2832 2660 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 48 PID 2660 wrote to memory of 2940 2660 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 49 PID 2660 wrote to memory of 2940 2660 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 49 PID 2660 wrote to memory of 2940 2660 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 49 PID 2660 wrote to memory of 2940 2660 a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe 49 PID 2940 wrote to memory of 1788 2940 cmd.exe 53 PID 2940 wrote to memory of 1788 2940 cmd.exe 53 PID 2940 wrote to memory of 1788 2940 cmd.exe 53 PID 2940 wrote to memory of 1788 2940 cmd.exe 53
Processes
-
C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe"C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Users\Admin\nCkgkscs\tUcgcAkk.exe"C:\Users\Admin\nCkgkscs\tUcgcAkk.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2064 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 6083⤵
- Loads dropped DLL
- Program crash
PID:952
-
-
-
C:\ProgramData\VcswUYYE\KigoUQcE.exe"C:\ProgramData\VcswUYYE\KigoUQcE.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2252
-
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51"2⤵
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exeC:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd513⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51"4⤵
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exeC:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd515⤵
- Suspicious behavior: EnumeratesProcesses
PID:1644 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51"6⤵PID:1588
-
C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exeC:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd517⤵
- Suspicious behavior: EnumeratesProcesses
PID:1416 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51"8⤵PID:2888
-
C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exeC:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd519⤵
- Suspicious behavior: EnumeratesProcesses
PID:1680 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51"10⤵PID:1820
-
C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exeC:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd5111⤵
- Suspicious behavior: EnumeratesProcesses
PID:1924 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51"12⤵PID:2204
-
C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exeC:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd5113⤵
- Suspicious behavior: EnumeratesProcesses
PID:3052 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51"14⤵PID:2656
-
C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exeC:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd5115⤵
- Suspicious behavior: EnumeratesProcesses
PID:1116 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51"16⤵PID:2848
-
C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exeC:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd5117⤵
- Suspicious behavior: EnumeratesProcesses
PID:2960 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51"18⤵PID:1788
-
C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exeC:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd5119⤵
- Suspicious behavior: EnumeratesProcesses
PID:2536 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51"20⤵PID:2164
-
C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exeC:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd5121⤵
- Suspicious behavior: EnumeratesProcesses
PID:2052 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51"22⤵PID:2076
-
C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exeC:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd5123⤵
- Suspicious behavior: EnumeratesProcesses
PID:2300 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51"24⤵PID:840
-
C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exeC:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd5125⤵
- Suspicious behavior: EnumeratesProcesses
PID:2120 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51"26⤵PID:1992
-
C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exeC:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd5127⤵
- Suspicious behavior: EnumeratesProcesses
PID:1784 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51"28⤵PID:2660
-
C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exeC:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd5129⤵
- Suspicious behavior: EnumeratesProcesses
PID:2956 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51"30⤵PID:2816
-
C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exeC:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd5131⤵
- Suspicious behavior: EnumeratesProcesses
PID:2168 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51"32⤵PID:2896
-
C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exeC:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd5133⤵
- Suspicious behavior: EnumeratesProcesses
PID:292 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51"34⤵PID:2284
-
C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exeC:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd5135⤵
- Suspicious behavior: EnumeratesProcesses
PID:1920 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51"36⤵PID:2444
-
C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exeC:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd5137⤵
- Suspicious behavior: EnumeratesProcesses
PID:1556 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51"38⤵PID:2616
-
C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exeC:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd5139⤵
- Suspicious behavior: EnumeratesProcesses
PID:652 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51"40⤵PID:2464
-
C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exeC:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd5141⤵
- Suspicious behavior: EnumeratesProcesses
PID:2204 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51"42⤵PID:2668
-
C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exeC:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd5143⤵
- Suspicious behavior: EnumeratesProcesses
PID:3000 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51"44⤵PID:2240
-
C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exeC:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd5145⤵
- Suspicious behavior: EnumeratesProcesses
PID:1652 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51"46⤵PID:2248
-
C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exeC:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd5147⤵
- Suspicious behavior: EnumeratesProcesses
PID:628 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51"48⤵PID:1084
-
C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exeC:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd5149⤵
- Suspicious behavior: EnumeratesProcesses
PID:2020 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51"50⤵PID:2280
-
C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exeC:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd5151⤵
- Suspicious behavior: EnumeratesProcesses
PID:868 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51"52⤵PID:2476
-
C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exeC:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd5153⤵
- Suspicious behavior: EnumeratesProcesses
PID:340 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51"54⤵PID:2344
-
C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exeC:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd5155⤵
- Suspicious behavior: EnumeratesProcesses
PID:2524 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51"56⤵PID:1708
-
C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exeC:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd5157⤵
- Suspicious behavior: EnumeratesProcesses
PID:1056 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51"58⤵PID:1312
-
C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exeC:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd5159⤵
- Suspicious behavior: EnumeratesProcesses
PID:1152 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51"60⤵PID:2916
-
C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exeC:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd5161⤵
- Suspicious behavior: EnumeratesProcesses
PID:1864 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51"62⤵PID:884
-
C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exeC:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd5163⤵
- Suspicious behavior: EnumeratesProcesses
PID:2220 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51"64⤵PID:1672
-
C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exeC:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd5165⤵PID:1620
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51"66⤵PID:2652
-
C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exeC:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd5167⤵PID:2832
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51"68⤵PID:1888
-
C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exeC:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd5169⤵PID:2464
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51"70⤵PID:2028
-
C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exeC:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd5171⤵PID:820
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51"72⤵PID:1636
-
C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exeC:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd5173⤵PID:1716
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51"74⤵PID:2752
-
C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exeC:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd5175⤵PID:2140
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51"76⤵PID:2020
-
C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exeC:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd5177⤵PID:1976
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51"78⤵PID:908
-
C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exeC:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd5179⤵PID:1156
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51"80⤵PID:2648
-
C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exeC:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd5181⤵PID:1560
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51"82⤵PID:2344
-
C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exeC:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd5183⤵PID:2924
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51"84⤵PID:2440
-
C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exeC:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd5185⤵PID:2108
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51"86⤵PID:1920
-
C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exeC:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd5187⤵PID:2400
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51"88⤵PID:2740
-
C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exeC:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd5189⤵PID:1720
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51"90⤵PID:868
-
C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exeC:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd5191⤵PID:1984
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51"92⤵PID:2540
-
C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exeC:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd5193⤵PID:2900
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51"94⤵PID:2024
-
C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exeC:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd5195⤵PID:832
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51"96⤵PID:720
-
C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exeC:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd5197⤵PID:1492
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51"98⤵PID:1872
-
C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exeC:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd5199⤵PID:2216
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51"100⤵PID:2440
-
C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exeC:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51101⤵PID:1152
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51"102⤵PID:852
-
C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exeC:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51103⤵PID:1880
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51"104⤵PID:2740
-
C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exeC:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51105⤵PID:1976
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51"106⤵PID:2412
-
C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exeC:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51107⤵PID:2756
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51"108⤵PID:1528
-
C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exeC:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51109⤵PID:320
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51"110⤵PID:1312
-
C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exeC:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51111⤵PID:1636
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51"112⤵PID:2360
-
C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exeC:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51113⤵PID:2308
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51"114⤵PID:1888
-
C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exeC:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51115⤵PID:908
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51"116⤵PID:1248
-
C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exeC:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51117⤵PID:2120
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51"118⤵PID:2172
-
C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exeC:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51119⤵PID:2900
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51"120⤵PID:2536
-
C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51.exeC:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51121⤵PID:292
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\a6d5d5f6ea1a45ee103b8e3c2b7e3b365bb0458d6781ca9ee0c12de58987cd51"122⤵PID:1116
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-