Analysis
-
max time kernel
150s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
12-08-2024 13:08
Static task
static1
Behavioral task
behavioral1
Sample
01_extracted.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
01_extracted.exe
Resource
win10v2004-20240802-en
General
-
Target
01_extracted.exe
-
Size
1.3MB
-
MD5
02e47dfd1294ce31f13dba280c0a67b5
-
SHA1
6abb28614be7035275e5bd3a3f37e0d5a733c083
-
SHA256
248653074d88fac18a59e758a14fac1c0dcb8af24f32b17a43a15222cf93576e
-
SHA512
7653d7e6d15597b39435bc91b722bb01d49775b3cac42e7d48dec8a708fb993587955877045adb799fe7a544b42f22ac6b2af60aef7c56936a5ee93132ee5fa4
-
SSDEEP
24576:0qDEvCTbMWu7rQYlBQcBiT6rprG8aR1qE5nfd3oSGnVm+Wf:0TvC/MTQYxsWR7aRVSS+I+
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
name.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs name.exe -
Executes dropped EXE 64 IoCs
Processes:
name.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exepid Process 2752 name.exe 2816 name.exe 2060 name.exe 2084 name.exe 1388 name.exe 2388 name.exe 1948 name.exe 292 name.exe 1352 name.exe 2848 name.exe 1928 name.exe 2192 name.exe 2152 name.exe 2100 name.exe 1808 name.exe 348 name.exe 2876 name.exe 1360 name.exe 2464 name.exe 604 name.exe 1684 name.exe 1744 name.exe 1628 name.exe 2756 name.exe 2504 name.exe 2824 name.exe 2616 name.exe 1748 name.exe 2500 name.exe 2376 name.exe 2012 name.exe 1952 name.exe 1456 name.exe 2880 name.exe 1064 name.exe 2356 name.exe 2104 name.exe 2188 name.exe 1284 name.exe 1884 name.exe 1636 name.exe 1868 name.exe 1056 name.exe 3048 name.exe 1644 name.exe 892 name.exe 1588 name.exe 2732 name.exe 300 name.exe 2660 name.exe 2668 name.exe 2044 name.exe 2284 name.exe 1716 name.exe 2900 name.exe 2308 name.exe 2320 name.exe 2800 name.exe 2200 name.exe 1860 name.exe 2400 name.exe 600 name.exe 1620 name.exe 2888 name.exe -
Loads dropped DLL 2 IoCs
Processes:
01_extracted.exename.exepid Process 2372 01_extracted.exe 2752 name.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/files/0x0008000000018b00-13.dat autoit_exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
name.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
01_extracted.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exepid Process 2372 01_extracted.exe 2372 01_extracted.exe 2752 name.exe 2752 name.exe 2816 name.exe 2816 name.exe 2060 name.exe 2060 name.exe 2084 name.exe 2084 name.exe 1388 name.exe 1388 name.exe 2388 name.exe 2388 name.exe 1948 name.exe 1948 name.exe 292 name.exe 292 name.exe 1352 name.exe 1352 name.exe 2848 name.exe 2848 name.exe 1928 name.exe 1928 name.exe 2192 name.exe 2192 name.exe 2152 name.exe 2152 name.exe 2100 name.exe 2100 name.exe 1808 name.exe 1808 name.exe 348 name.exe 348 name.exe 2876 name.exe 2876 name.exe 1360 name.exe 1360 name.exe 2464 name.exe 2464 name.exe 604 name.exe 604 name.exe 1684 name.exe 1684 name.exe 1744 name.exe 1744 name.exe 1628 name.exe 1628 name.exe 2756 name.exe 2756 name.exe 2504 name.exe 2504 name.exe 2824 name.exe 2824 name.exe 2616 name.exe 2616 name.exe 1748 name.exe 1748 name.exe 2500 name.exe 2500 name.exe 2376 name.exe 2376 name.exe 2012 name.exe 2012 name.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
01_extracted.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exepid Process 2372 01_extracted.exe 2372 01_extracted.exe 2752 name.exe 2752 name.exe 2816 name.exe 2816 name.exe 2060 name.exe 2060 name.exe 2084 name.exe 2084 name.exe 1388 name.exe 1388 name.exe 2388 name.exe 2388 name.exe 1948 name.exe 1948 name.exe 292 name.exe 292 name.exe 1352 name.exe 1352 name.exe 2848 name.exe 2848 name.exe 1928 name.exe 1928 name.exe 2192 name.exe 2192 name.exe 2152 name.exe 2152 name.exe 2100 name.exe 2100 name.exe 1808 name.exe 1808 name.exe 348 name.exe 348 name.exe 2876 name.exe 2876 name.exe 1360 name.exe 1360 name.exe 2464 name.exe 2464 name.exe 604 name.exe 604 name.exe 1684 name.exe 1684 name.exe 1744 name.exe 1744 name.exe 1628 name.exe 1628 name.exe 2756 name.exe 2756 name.exe 2504 name.exe 2504 name.exe 2824 name.exe 2824 name.exe 2616 name.exe 2616 name.exe 1748 name.exe 1748 name.exe 2500 name.exe 2500 name.exe 2376 name.exe 2376 name.exe 2012 name.exe 2012 name.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
01_extracted.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exedescription pid Process procid_target PID 2372 wrote to memory of 2752 2372 01_extracted.exe 31 PID 2372 wrote to memory of 2752 2372 01_extracted.exe 31 PID 2372 wrote to memory of 2752 2372 01_extracted.exe 31 PID 2372 wrote to memory of 2752 2372 01_extracted.exe 31 PID 2752 wrote to memory of 2816 2752 name.exe 32 PID 2752 wrote to memory of 2816 2752 name.exe 32 PID 2752 wrote to memory of 2816 2752 name.exe 32 PID 2752 wrote to memory of 2816 2752 name.exe 32 PID 2816 wrote to memory of 2060 2816 name.exe 33 PID 2816 wrote to memory of 2060 2816 name.exe 33 PID 2816 wrote to memory of 2060 2816 name.exe 33 PID 2816 wrote to memory of 2060 2816 name.exe 33 PID 2060 wrote to memory of 2084 2060 name.exe 34 PID 2060 wrote to memory of 2084 2060 name.exe 34 PID 2060 wrote to memory of 2084 2060 name.exe 34 PID 2060 wrote to memory of 2084 2060 name.exe 34 PID 2084 wrote to memory of 1388 2084 name.exe 35 PID 2084 wrote to memory of 1388 2084 name.exe 35 PID 2084 wrote to memory of 1388 2084 name.exe 35 PID 2084 wrote to memory of 1388 2084 name.exe 35 PID 1388 wrote to memory of 2388 1388 name.exe 36 PID 1388 wrote to memory of 2388 1388 name.exe 36 PID 1388 wrote to memory of 2388 1388 name.exe 36 PID 1388 wrote to memory of 2388 1388 name.exe 36 PID 2388 wrote to memory of 1948 2388 name.exe 37 PID 2388 wrote to memory of 1948 2388 name.exe 37 PID 2388 wrote to memory of 1948 2388 name.exe 37 PID 2388 wrote to memory of 1948 2388 name.exe 37 PID 1948 wrote to memory of 292 1948 name.exe 38 PID 1948 wrote to memory of 292 1948 name.exe 38 PID 1948 wrote to memory of 292 1948 name.exe 38 PID 1948 wrote to memory of 292 1948 name.exe 38 PID 292 wrote to memory of 1352 292 name.exe 39 PID 292 wrote to memory of 1352 292 name.exe 39 PID 292 wrote to memory of 1352 292 name.exe 39 PID 292 wrote to memory of 1352 292 name.exe 39 PID 1352 wrote to memory of 2848 1352 name.exe 40 PID 1352 wrote to memory of 2848 1352 name.exe 40 PID 1352 wrote to memory of 2848 1352 name.exe 40 PID 1352 wrote to memory of 2848 1352 name.exe 40 PID 2848 wrote to memory of 1928 2848 name.exe 41 PID 2848 wrote to memory of 1928 2848 name.exe 41 PID 2848 wrote to memory of 1928 2848 name.exe 41 PID 2848 wrote to memory of 1928 2848 name.exe 41 PID 1928 wrote to memory of 2192 1928 name.exe 42 PID 1928 wrote to memory of 2192 1928 name.exe 42 PID 1928 wrote to memory of 2192 1928 name.exe 42 PID 1928 wrote to memory of 2192 1928 name.exe 42 PID 2192 wrote to memory of 2152 2192 name.exe 43 PID 2192 wrote to memory of 2152 2192 name.exe 43 PID 2192 wrote to memory of 2152 2192 name.exe 43 PID 2192 wrote to memory of 2152 2192 name.exe 43 PID 2152 wrote to memory of 2100 2152 name.exe 44 PID 2152 wrote to memory of 2100 2152 name.exe 44 PID 2152 wrote to memory of 2100 2152 name.exe 44 PID 2152 wrote to memory of 2100 2152 name.exe 44 PID 2100 wrote to memory of 1808 2100 name.exe 45 PID 2100 wrote to memory of 1808 2100 name.exe 45 PID 2100 wrote to memory of 1808 2100 name.exe 45 PID 2100 wrote to memory of 1808 2100 name.exe 45 PID 1808 wrote to memory of 348 1808 name.exe 46 PID 1808 wrote to memory of 348 1808 name.exe 46 PID 1808 wrote to memory of 348 1808 name.exe 46 PID 1808 wrote to memory of 348 1808 name.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\01_extracted.exe"C:\Users\Admin\AppData\Local\Temp\01_extracted.exe"1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\Temp\01_extracted.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"5⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"6⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"7⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"8⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"9⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:292 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"10⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"12⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"17⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:348 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2876 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"19⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1360 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"20⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2464 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:604 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1684 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"23⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1744 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"24⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1628 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"25⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2756 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2504 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2824 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"28⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2616 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1748 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2500 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2376 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"32⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2012 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"33⤵
- Executes dropped EXE
PID:1952 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"34⤵
- Executes dropped EXE
PID:1456 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"35⤵
- Executes dropped EXE
PID:2880 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"36⤵
- Executes dropped EXE
PID:1064 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"37⤵
- Executes dropped EXE
PID:2356 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"38⤵
- Executes dropped EXE
PID:2104 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"39⤵
- Executes dropped EXE
PID:2188 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1284 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"41⤵
- Executes dropped EXE
PID:1884 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"42⤵
- Executes dropped EXE
PID:1636 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"43⤵
- Executes dropped EXE
PID:1868 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1056 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3048 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"46⤵
- Executes dropped EXE
PID:1644 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:892 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1588 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"49⤵
- Executes dropped EXE
PID:2732 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:300 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2660 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"52⤵
- Executes dropped EXE
PID:2668 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"53⤵
- Executes dropped EXE
PID:2044 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"54⤵
- Executes dropped EXE
PID:2284 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1716 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"56⤵
- Executes dropped EXE
PID:2900 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2308 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"58⤵
- Executes dropped EXE
PID:2320 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"59⤵
- Executes dropped EXE
PID:2800 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"60⤵
- Executes dropped EXE
PID:2200 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"61⤵
- Executes dropped EXE
PID:1860 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2400 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"63⤵
- Executes dropped EXE
PID:600 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1620 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2888 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"66⤵
- System Location Discovery: System Language Discovery
PID:3024 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"67⤵PID:1624
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"68⤵PID:2292
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"69⤵PID:1956
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"70⤵PID:2804
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"71⤵PID:2300
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"72⤵PID:2556
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"73⤵
- System Location Discovery: System Language Discovery
PID:2576 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"74⤵PID:2528
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"75⤵PID:2428
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"76⤵PID:1632
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"77⤵
- System Location Discovery: System Language Discovery
PID:1964 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"78⤵
- System Location Discovery: System Language Discovery
PID:480 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"79⤵PID:1180
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"80⤵PID:2204
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"81⤵
- System Location Discovery: System Language Discovery
PID:2124 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"82⤵PID:832
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"83⤵PID:2728
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"84⤵PID:2256
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"85⤵
- System Location Discovery: System Language Discovery
PID:3036 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"86⤵
- System Location Discovery: System Language Discovery
PID:652 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"87⤵PID:2656
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"88⤵PID:2696
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"89⤵PID:2952
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"90⤵
- System Location Discovery: System Language Discovery
PID:2828 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"91⤵PID:1464
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"92⤵PID:2852
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"93⤵PID:1924
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"94⤵PID:1480
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"95⤵PID:2492
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"96⤵PID:1932
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"97⤵
- System Location Discovery: System Language Discovery
PID:1768 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"98⤵
- System Location Discovery: System Language Discovery
PID:692 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"99⤵PID:2288
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"100⤵PID:2396
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"101⤵PID:2368
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"102⤵PID:1992
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"103⤵PID:2364
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"104⤵PID:2600
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"105⤵PID:1220
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"106⤵PID:2040
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"107⤵
- System Location Discovery: System Language Discovery
PID:2996 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"108⤵PID:2016
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"109⤵PID:2960
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"110⤵PID:1648
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"111⤵
- System Location Discovery: System Language Discovery
PID:1692 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"112⤵PID:1304
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"113⤵PID:2244
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"114⤵PID:1900
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"115⤵PID:1332
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"116⤵PID:1004
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"117⤵PID:1484
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"118⤵PID:2680
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"119⤵PID:2968
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"120⤵PID:860
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"121⤵PID:2544
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"122⤵PID:752
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-