Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
12-08-2024 13:12
Static task
static1
Behavioral task
behavioral1
Sample
01_extracted.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
01_extracted.exe
Resource
win10v2004-20240802-en
General
-
Target
01_extracted.exe
-
Size
1.3MB
-
MD5
02e47dfd1294ce31f13dba280c0a67b5
-
SHA1
6abb28614be7035275e5bd3a3f37e0d5a733c083
-
SHA256
248653074d88fac18a59e758a14fac1c0dcb8af24f32b17a43a15222cf93576e
-
SHA512
7653d7e6d15597b39435bc91b722bb01d49775b3cac42e7d48dec8a708fb993587955877045adb799fe7a544b42f22ac6b2af60aef7c56936a5ee93132ee5fa4
-
SSDEEP
24576:0qDEvCTbMWu7rQYlBQcBiT6rprG8aR1qE5nfd3oSGnVm+Wf:0TvC/MTQYxsWR7aRVSS+I+
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
name.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs name.exe -
Executes dropped EXE 64 IoCs
Processes:
name.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exepid Process 2296 name.exe 2544 name.exe 2872 name.exe 2720 name.exe 2940 name.exe 2636 name.exe 2444 name.exe 2976 name.exe 2952 name.exe 828 name.exe 324 name.exe 1912 name.exe 2084 name.exe 1988 name.exe 668 name.exe 1892 name.exe 300 name.exe 2504 name.exe 3060 name.exe 776 name.exe 1856 name.exe 496 name.exe 2128 name.exe 2516 name.exe 2784 name.exe 2884 name.exe 2900 name.exe 2768 name.exe 2652 name.exe 1716 name.exe 1712 name.exe 2860 name.exe 3004 name.exe 1980 name.exe 1688 name.exe 2148 name.exe 2140 name.exe 448 name.exe 1284 name.exe 2420 name.exe 1268 name.exe 1652 name.exe 3032 name.exe 2360 name.exe 560 name.exe 1676 name.exe 1484 name.exe 1940 name.exe 2748 name.exe 2760 name.exe 2472 name.exe 2924 name.exe 2436 name.exe 2956 name.exe 2832 name.exe 2024 name.exe 2968 name.exe 2356 name.exe 2324 name.exe 1620 name.exe 1724 name.exe 888 name.exe 932 name.exe 1108 name.exe -
Loads dropped DLL 1 IoCs
Processes:
01_extracted.exepid Process 2304 01_extracted.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/files/0x0008000000016d5e-13.dat autoit_exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
name.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
01_extracted.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exepid Process 2304 01_extracted.exe 2304 01_extracted.exe 2296 name.exe 2296 name.exe 2544 name.exe 2544 name.exe 2872 name.exe 2872 name.exe 2720 name.exe 2720 name.exe 2940 name.exe 2940 name.exe 2636 name.exe 2636 name.exe 2444 name.exe 2444 name.exe 2976 name.exe 2976 name.exe 2952 name.exe 2952 name.exe 828 name.exe 828 name.exe 324 name.exe 324 name.exe 1912 name.exe 1912 name.exe 2084 name.exe 2084 name.exe 1988 name.exe 1988 name.exe 668 name.exe 668 name.exe 1892 name.exe 1892 name.exe 300 name.exe 300 name.exe 2504 name.exe 2504 name.exe 3060 name.exe 3060 name.exe 776 name.exe 776 name.exe 1856 name.exe 1856 name.exe 496 name.exe 496 name.exe 2128 name.exe 2128 name.exe 2516 name.exe 2516 name.exe 2784 name.exe 2784 name.exe 2884 name.exe 2884 name.exe 2900 name.exe 2900 name.exe 2768 name.exe 2768 name.exe 2652 name.exe 2652 name.exe 1716 name.exe 1716 name.exe 1712 name.exe 1712 name.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
01_extracted.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exepid Process 2304 01_extracted.exe 2304 01_extracted.exe 2296 name.exe 2296 name.exe 2544 name.exe 2544 name.exe 2872 name.exe 2872 name.exe 2720 name.exe 2720 name.exe 2940 name.exe 2940 name.exe 2636 name.exe 2636 name.exe 2444 name.exe 2444 name.exe 2976 name.exe 2976 name.exe 2952 name.exe 2952 name.exe 828 name.exe 828 name.exe 324 name.exe 324 name.exe 1912 name.exe 1912 name.exe 2084 name.exe 2084 name.exe 1988 name.exe 1988 name.exe 668 name.exe 668 name.exe 1892 name.exe 1892 name.exe 300 name.exe 300 name.exe 2504 name.exe 2504 name.exe 3060 name.exe 3060 name.exe 776 name.exe 776 name.exe 1856 name.exe 1856 name.exe 496 name.exe 496 name.exe 2128 name.exe 2128 name.exe 2516 name.exe 2516 name.exe 2784 name.exe 2784 name.exe 2884 name.exe 2884 name.exe 2900 name.exe 2900 name.exe 2768 name.exe 2768 name.exe 2652 name.exe 2652 name.exe 1716 name.exe 1716 name.exe 1712 name.exe 1712 name.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
01_extracted.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exedescription pid Process procid_target PID 2304 wrote to memory of 2296 2304 01_extracted.exe 30 PID 2304 wrote to memory of 2296 2304 01_extracted.exe 30 PID 2304 wrote to memory of 2296 2304 01_extracted.exe 30 PID 2304 wrote to memory of 2296 2304 01_extracted.exe 30 PID 2296 wrote to memory of 2544 2296 name.exe 31 PID 2296 wrote to memory of 2544 2296 name.exe 31 PID 2296 wrote to memory of 2544 2296 name.exe 31 PID 2296 wrote to memory of 2544 2296 name.exe 31 PID 2544 wrote to memory of 2872 2544 name.exe 33 PID 2544 wrote to memory of 2872 2544 name.exe 33 PID 2544 wrote to memory of 2872 2544 name.exe 33 PID 2544 wrote to memory of 2872 2544 name.exe 33 PID 2872 wrote to memory of 2720 2872 name.exe 34 PID 2872 wrote to memory of 2720 2872 name.exe 34 PID 2872 wrote to memory of 2720 2872 name.exe 34 PID 2872 wrote to memory of 2720 2872 name.exe 34 PID 2720 wrote to memory of 2940 2720 name.exe 35 PID 2720 wrote to memory of 2940 2720 name.exe 35 PID 2720 wrote to memory of 2940 2720 name.exe 35 PID 2720 wrote to memory of 2940 2720 name.exe 35 PID 2940 wrote to memory of 2636 2940 name.exe 36 PID 2940 wrote to memory of 2636 2940 name.exe 36 PID 2940 wrote to memory of 2636 2940 name.exe 36 PID 2940 wrote to memory of 2636 2940 name.exe 36 PID 2636 wrote to memory of 2444 2636 name.exe 37 PID 2636 wrote to memory of 2444 2636 name.exe 37 PID 2636 wrote to memory of 2444 2636 name.exe 37 PID 2636 wrote to memory of 2444 2636 name.exe 37 PID 2444 wrote to memory of 2976 2444 name.exe 38 PID 2444 wrote to memory of 2976 2444 name.exe 38 PID 2444 wrote to memory of 2976 2444 name.exe 38 PID 2444 wrote to memory of 2976 2444 name.exe 38 PID 2976 wrote to memory of 2952 2976 name.exe 39 PID 2976 wrote to memory of 2952 2976 name.exe 39 PID 2976 wrote to memory of 2952 2976 name.exe 39 PID 2976 wrote to memory of 2952 2976 name.exe 39 PID 2952 wrote to memory of 828 2952 name.exe 40 PID 2952 wrote to memory of 828 2952 name.exe 40 PID 2952 wrote to memory of 828 2952 name.exe 40 PID 2952 wrote to memory of 828 2952 name.exe 40 PID 828 wrote to memory of 324 828 name.exe 41 PID 828 wrote to memory of 324 828 name.exe 41 PID 828 wrote to memory of 324 828 name.exe 41 PID 828 wrote to memory of 324 828 name.exe 41 PID 324 wrote to memory of 1912 324 name.exe 42 PID 324 wrote to memory of 1912 324 name.exe 42 PID 324 wrote to memory of 1912 324 name.exe 42 PID 324 wrote to memory of 1912 324 name.exe 42 PID 1912 wrote to memory of 2084 1912 name.exe 43 PID 1912 wrote to memory of 2084 1912 name.exe 43 PID 1912 wrote to memory of 2084 1912 name.exe 43 PID 1912 wrote to memory of 2084 1912 name.exe 43 PID 2084 wrote to memory of 1988 2084 name.exe 44 PID 2084 wrote to memory of 1988 2084 name.exe 44 PID 2084 wrote to memory of 1988 2084 name.exe 44 PID 2084 wrote to memory of 1988 2084 name.exe 44 PID 1988 wrote to memory of 668 1988 name.exe 45 PID 1988 wrote to memory of 668 1988 name.exe 45 PID 1988 wrote to memory of 668 1988 name.exe 45 PID 1988 wrote to memory of 668 1988 name.exe 45 PID 668 wrote to memory of 1892 668 name.exe 46 PID 668 wrote to memory of 1892 668 name.exe 46 PID 668 wrote to memory of 1892 668 name.exe 46 PID 668 wrote to memory of 1892 668 name.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\01_extracted.exe"C:\Users\Admin\AppData\Local\Temp\01_extracted.exe"1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\Temp\01_extracted.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"5⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"8⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"9⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"10⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"11⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"12⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"13⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"14⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"15⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"16⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1892 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"18⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:300 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"19⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2504 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"20⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3060 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"21⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:776 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1856 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"23⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:496 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"24⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2128 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2516 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2784 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"27⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2884 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"28⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2900 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2768 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"30⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2652 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1716 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"32⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1712 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"33⤵
- Executes dropped EXE
PID:2860 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"34⤵
- Executes dropped EXE
PID:3004 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"35⤵
- Executes dropped EXE
PID:1980 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"36⤵
- Executes dropped EXE
PID:1688 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"37⤵
- Executes dropped EXE
PID:2148 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"38⤵
- Executes dropped EXE
PID:2140 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"39⤵
- Executes dropped EXE
PID:448 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"40⤵
- Executes dropped EXE
PID:1284 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"41⤵
- Executes dropped EXE
PID:2420 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"42⤵
- Executes dropped EXE
PID:1268 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1652 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"44⤵
- Executes dropped EXE
PID:3032 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2360 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:560 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"47⤵
- Executes dropped EXE
PID:1676 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"48⤵
- Executes dropped EXE
PID:1484 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"49⤵
- Executes dropped EXE
PID:1940 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"50⤵
- Executes dropped EXE
PID:2748 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2760 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2472 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"53⤵
- Executes dropped EXE
PID:2924 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"54⤵
- Executes dropped EXE
PID:2436 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"55⤵
- Executes dropped EXE
PID:2956 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2832 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"57⤵
- Executes dropped EXE
PID:2024 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"58⤵
- Executes dropped EXE
PID:2968 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"59⤵
- Executes dropped EXE
PID:2356 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"60⤵
- Executes dropped EXE
PID:2324 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"61⤵
- Executes dropped EXE
PID:1620 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"62⤵
- Executes dropped EXE
PID:1724 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"63⤵
- Executes dropped EXE
PID:888 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"64⤵
- Executes dropped EXE
PID:932 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"65⤵
- Executes dropped EXE
PID:1108 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"66⤵
- System Location Discovery: System Language Discovery
PID:1228 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"67⤵PID:2388
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"68⤵PID:2072
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"69⤵
- System Location Discovery: System Language Discovery
PID:1200 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"70⤵PID:1736
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"71⤵PID:2404
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"72⤵PID:2800
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"73⤵
- System Location Discovery: System Language Discovery
PID:584 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"74⤵PID:3012
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"75⤵PID:2648
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"76⤵
- System Location Discovery: System Language Discovery
PID:2616 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"77⤵PID:3000
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"78⤵PID:1700
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"79⤵
- System Location Discovery: System Language Discovery
PID:1916 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"80⤵PID:1740
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"81⤵PID:1148
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"82⤵PID:1100
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"83⤵
- System Location Discovery: System Language Discovery
PID:356 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"84⤵PID:3020
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"85⤵
- System Location Discovery: System Language Discovery
PID:1684 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"86⤵PID:1792
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"87⤵PID:1376
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"88⤵
- System Location Discovery: System Language Discovery
PID:1256 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"89⤵
- System Location Discovery: System Language Discovery
PID:2744 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"90⤵
- System Location Discovery: System Language Discovery
PID:2728 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"91⤵PID:2820
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"92⤵PID:2676
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"93⤵PID:2156
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"94⤵PID:1812
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"95⤵
- System Location Discovery: System Language Discovery
PID:1556 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"96⤵PID:2220
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"97⤵PID:1768
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"98⤵PID:1104
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"99⤵
- System Location Discovery: System Language Discovery
PID:860 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"100⤵PID:2524
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"101⤵PID:2408
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"102⤵PID:2040
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"103⤵PID:2428
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"104⤵PID:604
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"105⤵
- System Location Discovery: System Language Discovery
PID:2916 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"106⤵PID:2772
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"107⤵PID:2716
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"108⤵PID:1776
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"109⤵PID:2132
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"110⤵
- System Location Discovery: System Language Discovery
PID:2056 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"111⤵PID:1492
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"112⤵PID:108
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"113⤵
- System Location Discovery: System Language Discovery
PID:1448 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"114⤵
- System Location Discovery: System Language Discovery
PID:1728 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"115⤵PID:540
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"116⤵
- System Location Discovery: System Language Discovery
PID:1612 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"117⤵
- System Location Discovery: System Language Discovery
PID:1704 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"118⤵
- System Location Discovery: System Language Discovery
PID:2788 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"119⤵PID:1092
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"120⤵
- System Location Discovery: System Language Discovery
PID:2672 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"121⤵PID:1876
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"122⤵
- System Location Discovery: System Language Discovery
PID:1372
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-