Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
13-08-2024 01:07
Static task
static1
Behavioral task
behavioral1
Sample
248653074d88fac18a59e758a14fac1c0dcb8af24f32b17a43a15222cf93576e.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
248653074d88fac18a59e758a14fac1c0dcb8af24f32b17a43a15222cf93576e.exe
Resource
win10v2004-20240802-en
General
-
Target
248653074d88fac18a59e758a14fac1c0dcb8af24f32b17a43a15222cf93576e.exe
-
Size
1.3MB
-
MD5
02e47dfd1294ce31f13dba280c0a67b5
-
SHA1
6abb28614be7035275e5bd3a3f37e0d5a733c083
-
SHA256
248653074d88fac18a59e758a14fac1c0dcb8af24f32b17a43a15222cf93576e
-
SHA512
7653d7e6d15597b39435bc91b722bb01d49775b3cac42e7d48dec8a708fb993587955877045adb799fe7a544b42f22ac6b2af60aef7c56936a5ee93132ee5fa4
-
SSDEEP
24576:0qDEvCTbMWu7rQYlBQcBiT6rprG8aR1qE5nfd3oSGnVm+Wf:0TvC/MTQYxsWR7aRVSS+I+
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
name.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs name.exe -
Executes dropped EXE 64 IoCs
Processes:
name.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exepid Process 2192 name.exe 2884 name.exe 2760 name.exe 2844 name.exe 2776 name.exe 2680 name.exe 1640 name.exe 2664 name.exe 1616 name.exe 1488 name.exe 1928 name.exe 2504 name.exe 2100 name.exe 648 name.exe 2588 name.exe 3040 name.exe 1876 name.exe 1300 name.exe 2560 name.exe 1280 name.exe 2404 name.exe 1788 name.exe 2080 name.exe 2912 name.exe 2736 name.exe 2928 name.exe 2800 name.exe 2856 name.exe 2372 name.exe 1088 name.exe 1100 name.exe 1444 name.exe 536 name.exe 1492 name.exe 1580 name.exe 2156 name.exe 2244 name.exe 2784 name.exe 2508 name.exe 1744 name.exe 896 name.exe 2228 name.exe 2540 name.exe 1408 name.exe 2060 name.exe 2352 name.exe 2168 name.exe 624 name.exe 2492 name.exe 2280 name.exe 2788 name.exe 1944 name.exe 1688 name.exe 2200 name.exe 320 name.exe 2900 name.exe 1048 name.exe 2312 name.exe 1748 name.exe 2036 name.exe 276 name.exe 1348 name.exe 1096 name.exe 2916 name.exe -
Loads dropped DLL 2 IoCs
Processes:
248653074d88fac18a59e758a14fac1c0dcb8af24f32b17a43a15222cf93576e.exename.exepid Process 2692 248653074d88fac18a59e758a14fac1c0dcb8af24f32b17a43a15222cf93576e.exe 2192 name.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/files/0x0008000000017292-13.dat autoit_exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
name.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exe248653074d88fac18a59e758a14fac1c0dcb8af24f32b17a43a15222cf93576e.exename.exename.exename.exename.exename.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 248653074d88fac18a59e758a14fac1c0dcb8af24f32b17a43a15222cf93576e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
248653074d88fac18a59e758a14fac1c0dcb8af24f32b17a43a15222cf93576e.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exepid Process 2692 248653074d88fac18a59e758a14fac1c0dcb8af24f32b17a43a15222cf93576e.exe 2692 248653074d88fac18a59e758a14fac1c0dcb8af24f32b17a43a15222cf93576e.exe 2192 name.exe 2192 name.exe 2884 name.exe 2884 name.exe 2760 name.exe 2760 name.exe 2844 name.exe 2844 name.exe 2776 name.exe 2776 name.exe 2680 name.exe 2680 name.exe 1640 name.exe 1640 name.exe 2664 name.exe 2664 name.exe 1616 name.exe 1616 name.exe 1488 name.exe 1488 name.exe 1928 name.exe 1928 name.exe 2504 name.exe 2504 name.exe 2100 name.exe 2100 name.exe 648 name.exe 648 name.exe 2588 name.exe 2588 name.exe 3040 name.exe 3040 name.exe 1876 name.exe 1876 name.exe 1300 name.exe 1300 name.exe 2560 name.exe 2560 name.exe 1280 name.exe 1280 name.exe 2404 name.exe 2404 name.exe 1788 name.exe 1788 name.exe 2080 name.exe 2080 name.exe 2912 name.exe 2912 name.exe 2736 name.exe 2736 name.exe 2928 name.exe 2928 name.exe 2800 name.exe 2800 name.exe 2856 name.exe 2856 name.exe 2372 name.exe 2372 name.exe 1088 name.exe 1088 name.exe 1100 name.exe 1100 name.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
248653074d88fac18a59e758a14fac1c0dcb8af24f32b17a43a15222cf93576e.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exepid Process 2692 248653074d88fac18a59e758a14fac1c0dcb8af24f32b17a43a15222cf93576e.exe 2692 248653074d88fac18a59e758a14fac1c0dcb8af24f32b17a43a15222cf93576e.exe 2192 name.exe 2192 name.exe 2884 name.exe 2884 name.exe 2760 name.exe 2760 name.exe 2844 name.exe 2844 name.exe 2776 name.exe 2776 name.exe 2680 name.exe 2680 name.exe 1640 name.exe 1640 name.exe 2664 name.exe 2664 name.exe 1616 name.exe 1616 name.exe 1488 name.exe 1488 name.exe 1928 name.exe 1928 name.exe 2504 name.exe 2504 name.exe 2100 name.exe 2100 name.exe 648 name.exe 648 name.exe 2588 name.exe 2588 name.exe 3040 name.exe 3040 name.exe 1876 name.exe 1876 name.exe 1300 name.exe 1300 name.exe 2560 name.exe 2560 name.exe 1280 name.exe 1280 name.exe 2404 name.exe 2404 name.exe 1788 name.exe 1788 name.exe 2080 name.exe 2080 name.exe 2912 name.exe 2912 name.exe 2736 name.exe 2736 name.exe 2928 name.exe 2928 name.exe 2800 name.exe 2800 name.exe 2856 name.exe 2856 name.exe 2372 name.exe 2372 name.exe 1088 name.exe 1088 name.exe 1100 name.exe 1100 name.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
248653074d88fac18a59e758a14fac1c0dcb8af24f32b17a43a15222cf93576e.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exename.exedescription pid Process procid_target PID 2692 wrote to memory of 2192 2692 248653074d88fac18a59e758a14fac1c0dcb8af24f32b17a43a15222cf93576e.exe 30 PID 2692 wrote to memory of 2192 2692 248653074d88fac18a59e758a14fac1c0dcb8af24f32b17a43a15222cf93576e.exe 30 PID 2692 wrote to memory of 2192 2692 248653074d88fac18a59e758a14fac1c0dcb8af24f32b17a43a15222cf93576e.exe 30 PID 2692 wrote to memory of 2192 2692 248653074d88fac18a59e758a14fac1c0dcb8af24f32b17a43a15222cf93576e.exe 30 PID 2192 wrote to memory of 2884 2192 name.exe 31 PID 2192 wrote to memory of 2884 2192 name.exe 31 PID 2192 wrote to memory of 2884 2192 name.exe 31 PID 2192 wrote to memory of 2884 2192 name.exe 31 PID 2884 wrote to memory of 2760 2884 name.exe 32 PID 2884 wrote to memory of 2760 2884 name.exe 32 PID 2884 wrote to memory of 2760 2884 name.exe 32 PID 2884 wrote to memory of 2760 2884 name.exe 32 PID 2760 wrote to memory of 2844 2760 name.exe 33 PID 2760 wrote to memory of 2844 2760 name.exe 33 PID 2760 wrote to memory of 2844 2760 name.exe 33 PID 2760 wrote to memory of 2844 2760 name.exe 33 PID 2844 wrote to memory of 2776 2844 name.exe 34 PID 2844 wrote to memory of 2776 2844 name.exe 34 PID 2844 wrote to memory of 2776 2844 name.exe 34 PID 2844 wrote to memory of 2776 2844 name.exe 34 PID 2776 wrote to memory of 2680 2776 name.exe 35 PID 2776 wrote to memory of 2680 2776 name.exe 35 PID 2776 wrote to memory of 2680 2776 name.exe 35 PID 2776 wrote to memory of 2680 2776 name.exe 35 PID 2680 wrote to memory of 1640 2680 name.exe 36 PID 2680 wrote to memory of 1640 2680 name.exe 36 PID 2680 wrote to memory of 1640 2680 name.exe 36 PID 2680 wrote to memory of 1640 2680 name.exe 36 PID 1640 wrote to memory of 2664 1640 name.exe 37 PID 1640 wrote to memory of 2664 1640 name.exe 37 PID 1640 wrote to memory of 2664 1640 name.exe 37 PID 1640 wrote to memory of 2664 1640 name.exe 37 PID 2664 wrote to memory of 1616 2664 name.exe 38 PID 2664 wrote to memory of 1616 2664 name.exe 38 PID 2664 wrote to memory of 1616 2664 name.exe 38 PID 2664 wrote to memory of 1616 2664 name.exe 38 PID 1616 wrote to memory of 1488 1616 name.exe 39 PID 1616 wrote to memory of 1488 1616 name.exe 39 PID 1616 wrote to memory of 1488 1616 name.exe 39 PID 1616 wrote to memory of 1488 1616 name.exe 39 PID 1488 wrote to memory of 1928 1488 name.exe 40 PID 1488 wrote to memory of 1928 1488 name.exe 40 PID 1488 wrote to memory of 1928 1488 name.exe 40 PID 1488 wrote to memory of 1928 1488 name.exe 40 PID 1928 wrote to memory of 2504 1928 name.exe 41 PID 1928 wrote to memory of 2504 1928 name.exe 41 PID 1928 wrote to memory of 2504 1928 name.exe 41 PID 1928 wrote to memory of 2504 1928 name.exe 41 PID 2504 wrote to memory of 2100 2504 name.exe 42 PID 2504 wrote to memory of 2100 2504 name.exe 42 PID 2504 wrote to memory of 2100 2504 name.exe 42 PID 2504 wrote to memory of 2100 2504 name.exe 42 PID 2100 wrote to memory of 648 2100 name.exe 44 PID 2100 wrote to memory of 648 2100 name.exe 44 PID 2100 wrote to memory of 648 2100 name.exe 44 PID 2100 wrote to memory of 648 2100 name.exe 44 PID 648 wrote to memory of 2588 648 name.exe 45 PID 648 wrote to memory of 2588 648 name.exe 45 PID 648 wrote to memory of 2588 648 name.exe 45 PID 648 wrote to memory of 2588 648 name.exe 45 PID 2588 wrote to memory of 3040 2588 name.exe 46 PID 2588 wrote to memory of 3040 2588 name.exe 46 PID 2588 wrote to memory of 3040 2588 name.exe 46 PID 2588 wrote to memory of 3040 2588 name.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\248653074d88fac18a59e758a14fac1c0dcb8af24f32b17a43a15222cf93576e.exe"C:\Users\Admin\AppData\Local\Temp\248653074d88fac18a59e758a14fac1c0dcb8af24f32b17a43a15222cf93576e.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\Temp\248653074d88fac18a59e758a14fac1c0dcb8af24f32b17a43a15222cf93576e.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"5⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"7⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"8⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"9⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"10⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"11⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"12⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"15⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:648 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"16⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3040 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1876 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"19⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1300 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"20⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2560 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1280 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2404 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1788 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2080 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"25⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2912 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"26⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2736 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2928 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"28⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2800 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"29⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2856 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"30⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2372 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"31⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1088 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"32⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1100 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"33⤵
- Executes dropped EXE
PID:1444 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"34⤵
- Executes dropped EXE
PID:536 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"35⤵
- Executes dropped EXE
PID:1492 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"36⤵
- Executes dropped EXE
PID:1580 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"37⤵
- Executes dropped EXE
PID:2156 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"38⤵
- Executes dropped EXE
PID:2244 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"39⤵
- Executes dropped EXE
PID:2784 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"40⤵
- Executes dropped EXE
PID:2508 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"41⤵
- Executes dropped EXE
PID:1744 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"42⤵
- Executes dropped EXE
PID:896 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"43⤵
- Executes dropped EXE
PID:2228 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"44⤵
- Executes dropped EXE
PID:2540 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1408 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"46⤵
- Executes dropped EXE
PID:2060 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2352 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"48⤵
- Executes dropped EXE
PID:2168 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"49⤵
- Executes dropped EXE
PID:624 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2492 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"51⤵
- Executes dropped EXE
PID:2280 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2788 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"53⤵
- Executes dropped EXE
PID:1944 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"54⤵
- Executes dropped EXE
PID:1688 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"55⤵
- Executes dropped EXE
PID:2200 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"56⤵
- Executes dropped EXE
PID:320 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2900 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1048 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"59⤵
- Executes dropped EXE
PID:2312 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"60⤵
- Executes dropped EXE
PID:1748 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2036 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"62⤵
- Executes dropped EXE
PID:276 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"63⤵
- Executes dropped EXE
PID:1348 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"64⤵
- Executes dropped EXE
PID:1096 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"65⤵
- Executes dropped EXE
PID:2916 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"66⤵PID:1236
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"67⤵PID:884
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"68⤵
- System Location Discovery: System Language Discovery
PID:876 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"69⤵
- System Location Discovery: System Language Discovery
PID:2344 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"70⤵PID:2700
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"71⤵
- System Location Discovery: System Language Discovery
PID:2612 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"72⤵PID:2792
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"73⤵
- System Location Discovery: System Language Discovery
PID:2656 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"74⤵PID:576
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"75⤵PID:2432
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"76⤵PID:632
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"77⤵PID:1660
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"78⤵PID:1820
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"79⤵PID:2260
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"80⤵
- System Location Discovery: System Language Discovery
PID:444 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"81⤵PID:2020
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"82⤵
- System Location Discovery: System Language Discovery
PID:1680 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"83⤵
- System Location Discovery: System Language Discovery
PID:3064 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"84⤵
- System Location Discovery: System Language Discovery
PID:2116 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"85⤵PID:1508
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"86⤵
- System Location Discovery: System Language Discovery
PID:1604 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"87⤵PID:2324
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"88⤵PID:2812
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"89⤵PID:2872
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"90⤵PID:2016
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"91⤵PID:3016
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"92⤵PID:1360
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"93⤵
- System Location Discovery: System Language Discovery
PID:484 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"94⤵PID:1376
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"95⤵
- System Location Discovery: System Language Discovery
PID:2496 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"96⤵PID:2452
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"97⤵PID:1960
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"98⤵
- System Location Discovery: System Language Discovery
PID:1864 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"99⤵PID:1304
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"100⤵PID:3020
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"101⤵
- System Location Discovery: System Language Discovery
PID:2980 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"102⤵PID:1600
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"103⤵PID:2552
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"104⤵PID:2712
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"105⤵PID:2780
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"106⤵PID:2224
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"107⤵PID:1128
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"108⤵PID:1648
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"109⤵PID:2000
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"110⤵
- System Location Discovery: System Language Discovery
PID:2536 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"111⤵
- System Location Discovery: System Language Discovery
PID:1612 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"112⤵PID:1628
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"113⤵PID:1712
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"114⤵PID:2852
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"115⤵
- System Location Discovery: System Language Discovery
PID:2968 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"116⤵PID:2284
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"117⤵PID:2864
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"118⤵
- System Location Discovery: System Language Discovery
PID:2772 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"119⤵PID:2984
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"120⤵PID:264
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"121⤵PID:1808
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"122⤵PID:2104
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-