Analysis
-
max time kernel
120s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
22/08/2024, 15:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
46416f8b447247d8415d6711cb6b63b0N.exe
Resource
win7-20240704-en
windows7-x64
14 signatures
120 seconds
Behavioral task
behavioral2
Sample
46416f8b447247d8415d6711cb6b63b0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
15 signatures
120 seconds
General
-
Target
46416f8b447247d8415d6711cb6b63b0N.exe
-
Size
118KB
-
MD5
46416f8b447247d8415d6711cb6b63b0
-
SHA1
d6308f676b4cb6a611c6414f38882683100e6841
-
SHA256
e5f041f8502f291b601f1608e096e6d0fd19b4b80d496f9fce7a7d5d46cb6697
-
SHA512
a07c7dec084282d0ffe338acfbc0b9222fdc7191db9172c0c8a823e42ac138bc6ac16116f7efbd05bb108f51c6b090fe2120fb098d8b51a0345fd689099addab
-
SSDEEP
1536:TciVACQyUbupR1wBxAN5R52g8t2NR0nX+Cct3J3ffTYNbYe4MMcw8C8PfyyGJ74f:wup/2xAN5x8tu1e4hj8fE1sehPVc
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Renames multiple (82) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation iCEIkMAM.exe -
Executes dropped EXE 2 IoCs
pid Process 3472 VUYQgMAs.exe 3236 iCEIkMAM.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VUYQgMAs.exe = "C:\\Users\\Admin\\rAcAsQUI\\VUYQgMAs.exe" 46416f8b447247d8415d6711cb6b63b0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iCEIkMAM.exe = "C:\\ProgramData\\AiUkEEMw\\iCEIkMAM.exe" 46416f8b447247d8415d6711cb6b63b0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iCEIkMAM.exe = "C:\\ProgramData\\AiUkEEMw\\iCEIkMAM.exe" iCEIkMAM.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VUYQgMAs.exe = "C:\\Users\\Admin\\rAcAsQUI\\VUYQgMAs.exe" VUYQgMAs.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\shell32.dll.exe iCEIkMAM.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46416f8b447247d8415d6711cb6b63b0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46416f8b447247d8415d6711cb6b63b0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46416f8b447247d8415d6711cb6b63b0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46416f8b447247d8415d6711cb6b63b0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46416f8b447247d8415d6711cb6b63b0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46416f8b447247d8415d6711cb6b63b0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46416f8b447247d8415d6711cb6b63b0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46416f8b447247d8415d6711cb6b63b0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iCEIkMAM.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46416f8b447247d8415d6711cb6b63b0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 64 IoCs
pid Process 2608 reg.exe 1764 reg.exe 2752 reg.exe 2304 reg.exe 3864 reg.exe 1352 reg.exe 2472 reg.exe 4992 reg.exe 3960 reg.exe 3376 reg.exe 3128 reg.exe 1140 reg.exe 4136 reg.exe 1596 reg.exe 3880 reg.exe 1016 reg.exe 2216 reg.exe 3412 reg.exe 3800 reg.exe 4424 reg.exe 5032 reg.exe 4936 reg.exe 1220 reg.exe 2136 reg.exe 4984 reg.exe 2204 reg.exe 2080 reg.exe 5032 reg.exe 672 reg.exe 1444 reg.exe 2216 reg.exe 2296 reg.exe 3756 reg.exe 4756 reg.exe 4556 reg.exe 3420 reg.exe 2300 reg.exe 4532 reg.exe 4236 reg.exe 2136 reg.exe 1084 reg.exe 5092 reg.exe 4040 reg.exe 708 reg.exe 4076 reg.exe 4508 reg.exe 3004 reg.exe 4236 reg.exe 5084 reg.exe 1164 reg.exe 2316 reg.exe 4140 reg.exe 1584 reg.exe 2136 reg.exe 4536 reg.exe 1960 reg.exe 2332 reg.exe 2488 reg.exe 3260 reg.exe 4544 reg.exe 4660 reg.exe 3260 reg.exe 1444 reg.exe 4576 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1012 46416f8b447247d8415d6711cb6b63b0N.exe 1012 46416f8b447247d8415d6711cb6b63b0N.exe 1012 46416f8b447247d8415d6711cb6b63b0N.exe 1012 46416f8b447247d8415d6711cb6b63b0N.exe 1356 46416f8b447247d8415d6711cb6b63b0N.exe 1356 46416f8b447247d8415d6711cb6b63b0N.exe 1356 46416f8b447247d8415d6711cb6b63b0N.exe 1356 46416f8b447247d8415d6711cb6b63b0N.exe 4292 46416f8b447247d8415d6711cb6b63b0N.exe 4292 46416f8b447247d8415d6711cb6b63b0N.exe 4292 46416f8b447247d8415d6711cb6b63b0N.exe 4292 46416f8b447247d8415d6711cb6b63b0N.exe 1088 46416f8b447247d8415d6711cb6b63b0N.exe 1088 46416f8b447247d8415d6711cb6b63b0N.exe 1088 46416f8b447247d8415d6711cb6b63b0N.exe 1088 46416f8b447247d8415d6711cb6b63b0N.exe 4796 46416f8b447247d8415d6711cb6b63b0N.exe 4796 46416f8b447247d8415d6711cb6b63b0N.exe 4796 46416f8b447247d8415d6711cb6b63b0N.exe 4796 46416f8b447247d8415d6711cb6b63b0N.exe 4552 46416f8b447247d8415d6711cb6b63b0N.exe 4552 46416f8b447247d8415d6711cb6b63b0N.exe 4552 46416f8b447247d8415d6711cb6b63b0N.exe 4552 46416f8b447247d8415d6711cb6b63b0N.exe 2136 46416f8b447247d8415d6711cb6b63b0N.exe 2136 46416f8b447247d8415d6711cb6b63b0N.exe 2136 46416f8b447247d8415d6711cb6b63b0N.exe 2136 46416f8b447247d8415d6711cb6b63b0N.exe 1384 46416f8b447247d8415d6711cb6b63b0N.exe 1384 46416f8b447247d8415d6711cb6b63b0N.exe 1384 46416f8b447247d8415d6711cb6b63b0N.exe 1384 46416f8b447247d8415d6711cb6b63b0N.exe 536 46416f8b447247d8415d6711cb6b63b0N.exe 536 46416f8b447247d8415d6711cb6b63b0N.exe 536 46416f8b447247d8415d6711cb6b63b0N.exe 536 46416f8b447247d8415d6711cb6b63b0N.exe 3444 46416f8b447247d8415d6711cb6b63b0N.exe 3444 46416f8b447247d8415d6711cb6b63b0N.exe 3444 46416f8b447247d8415d6711cb6b63b0N.exe 3444 46416f8b447247d8415d6711cb6b63b0N.exe 2308 46416f8b447247d8415d6711cb6b63b0N.exe 2308 46416f8b447247d8415d6711cb6b63b0N.exe 2308 46416f8b447247d8415d6711cb6b63b0N.exe 2308 46416f8b447247d8415d6711cb6b63b0N.exe 3008 46416f8b447247d8415d6711cb6b63b0N.exe 3008 46416f8b447247d8415d6711cb6b63b0N.exe 3008 46416f8b447247d8415d6711cb6b63b0N.exe 3008 46416f8b447247d8415d6711cb6b63b0N.exe 448 46416f8b447247d8415d6711cb6b63b0N.exe 448 46416f8b447247d8415d6711cb6b63b0N.exe 448 46416f8b447247d8415d6711cb6b63b0N.exe 448 46416f8b447247d8415d6711cb6b63b0N.exe 316 46416f8b447247d8415d6711cb6b63b0N.exe 316 46416f8b447247d8415d6711cb6b63b0N.exe 316 46416f8b447247d8415d6711cb6b63b0N.exe 316 46416f8b447247d8415d6711cb6b63b0N.exe 2328 46416f8b447247d8415d6711cb6b63b0N.exe 2328 46416f8b447247d8415d6711cb6b63b0N.exe 2328 46416f8b447247d8415d6711cb6b63b0N.exe 2328 46416f8b447247d8415d6711cb6b63b0N.exe 1316 46416f8b447247d8415d6711cb6b63b0N.exe 1316 46416f8b447247d8415d6711cb6b63b0N.exe 1316 46416f8b447247d8415d6711cb6b63b0N.exe 1316 46416f8b447247d8415d6711cb6b63b0N.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3236 iCEIkMAM.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3236 iCEIkMAM.exe 3236 iCEIkMAM.exe 3236 iCEIkMAM.exe 3236 iCEIkMAM.exe 3236 iCEIkMAM.exe 3236 iCEIkMAM.exe 3236 iCEIkMAM.exe 3236 iCEIkMAM.exe 3236 iCEIkMAM.exe 3236 iCEIkMAM.exe 3236 iCEIkMAM.exe 3236 iCEIkMAM.exe 3236 iCEIkMAM.exe 3236 iCEIkMAM.exe 3236 iCEIkMAM.exe 3236 iCEIkMAM.exe 3236 iCEIkMAM.exe 3236 iCEIkMAM.exe 3236 iCEIkMAM.exe 3236 iCEIkMAM.exe 3236 iCEIkMAM.exe 3236 iCEIkMAM.exe 3236 iCEIkMAM.exe 3236 iCEIkMAM.exe 3236 iCEIkMAM.exe 3236 iCEIkMAM.exe 3236 iCEIkMAM.exe 3236 iCEIkMAM.exe 3236 iCEIkMAM.exe 3236 iCEIkMAM.exe 3236 iCEIkMAM.exe 3236 iCEIkMAM.exe 3236 iCEIkMAM.exe 3236 iCEIkMAM.exe 3236 iCEIkMAM.exe 3236 iCEIkMAM.exe 3236 iCEIkMAM.exe 3236 iCEIkMAM.exe 3236 iCEIkMAM.exe 3236 iCEIkMAM.exe 3236 iCEIkMAM.exe 3236 iCEIkMAM.exe 3236 iCEIkMAM.exe 3236 iCEIkMAM.exe 3236 iCEIkMAM.exe 3236 iCEIkMAM.exe 3236 iCEIkMAM.exe 3236 iCEIkMAM.exe 3236 iCEIkMAM.exe 3236 iCEIkMAM.exe 3236 iCEIkMAM.exe 3236 iCEIkMAM.exe 3236 iCEIkMAM.exe 3236 iCEIkMAM.exe 3236 iCEIkMAM.exe 3236 iCEIkMAM.exe 3236 iCEIkMAM.exe 3236 iCEIkMAM.exe 3236 iCEIkMAM.exe 3236 iCEIkMAM.exe 3236 iCEIkMAM.exe 3236 iCEIkMAM.exe 3236 iCEIkMAM.exe 3236 iCEIkMAM.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1012 wrote to memory of 3472 1012 46416f8b447247d8415d6711cb6b63b0N.exe 86 PID 1012 wrote to memory of 3472 1012 46416f8b447247d8415d6711cb6b63b0N.exe 86 PID 1012 wrote to memory of 3472 1012 46416f8b447247d8415d6711cb6b63b0N.exe 86 PID 1012 wrote to memory of 3236 1012 46416f8b447247d8415d6711cb6b63b0N.exe 87 PID 1012 wrote to memory of 3236 1012 46416f8b447247d8415d6711cb6b63b0N.exe 87 PID 1012 wrote to memory of 3236 1012 46416f8b447247d8415d6711cb6b63b0N.exe 87 PID 1012 wrote to memory of 1932 1012 46416f8b447247d8415d6711cb6b63b0N.exe 88 PID 1012 wrote to memory of 1932 1012 46416f8b447247d8415d6711cb6b63b0N.exe 88 PID 1012 wrote to memory of 1932 1012 46416f8b447247d8415d6711cb6b63b0N.exe 88 PID 1012 wrote to memory of 2608 1012 46416f8b447247d8415d6711cb6b63b0N.exe 91 PID 1012 wrote to memory of 2608 1012 46416f8b447247d8415d6711cb6b63b0N.exe 91 PID 1012 wrote to memory of 2608 1012 46416f8b447247d8415d6711cb6b63b0N.exe 91 PID 1012 wrote to memory of 1828 1012 46416f8b447247d8415d6711cb6b63b0N.exe 92 PID 1012 wrote to memory of 1828 1012 46416f8b447247d8415d6711cb6b63b0N.exe 92 PID 1012 wrote to memory of 1828 1012 46416f8b447247d8415d6711cb6b63b0N.exe 92 PID 1012 wrote to memory of 2136 1012 46416f8b447247d8415d6711cb6b63b0N.exe 93 PID 1012 wrote to memory of 2136 1012 46416f8b447247d8415d6711cb6b63b0N.exe 93 PID 1012 wrote to memory of 2136 1012 46416f8b447247d8415d6711cb6b63b0N.exe 93 PID 1012 wrote to memory of 1968 1012 46416f8b447247d8415d6711cb6b63b0N.exe 94 PID 1012 wrote to memory of 1968 1012 46416f8b447247d8415d6711cb6b63b0N.exe 94 PID 1012 wrote to memory of 1968 1012 46416f8b447247d8415d6711cb6b63b0N.exe 94 PID 1932 wrote to memory of 1356 1932 cmd.exe 99 PID 1932 wrote to memory of 1356 1932 cmd.exe 99 PID 1932 wrote to memory of 1356 1932 cmd.exe 99 PID 1968 wrote to memory of 4140 1968 cmd.exe 100 PID 1968 wrote to memory of 4140 1968 cmd.exe 100 PID 1968 wrote to memory of 4140 1968 cmd.exe 100 PID 1356 wrote to memory of 4316 1356 46416f8b447247d8415d6711cb6b63b0N.exe 101 PID 1356 wrote to memory of 4316 1356 46416f8b447247d8415d6711cb6b63b0N.exe 101 PID 1356 wrote to memory of 4316 1356 46416f8b447247d8415d6711cb6b63b0N.exe 101 PID 4316 wrote to memory of 4292 4316 cmd.exe 103 PID 4316 wrote to memory of 4292 4316 cmd.exe 103 PID 4316 wrote to memory of 4292 4316 cmd.exe 103 PID 1356 wrote to memory of 4984 1356 46416f8b447247d8415d6711cb6b63b0N.exe 104 PID 1356 wrote to memory of 4984 1356 46416f8b447247d8415d6711cb6b63b0N.exe 104 PID 1356 wrote to memory of 4984 1356 46416f8b447247d8415d6711cb6b63b0N.exe 104 PID 1356 wrote to memory of 448 1356 46416f8b447247d8415d6711cb6b63b0N.exe 105 PID 1356 wrote to memory of 448 1356 46416f8b447247d8415d6711cb6b63b0N.exe 105 PID 1356 wrote to memory of 448 1356 46416f8b447247d8415d6711cb6b63b0N.exe 105 PID 1356 wrote to memory of 4968 1356 46416f8b447247d8415d6711cb6b63b0N.exe 106 PID 1356 wrote to memory of 4968 1356 46416f8b447247d8415d6711cb6b63b0N.exe 106 PID 1356 wrote to memory of 4968 1356 46416f8b447247d8415d6711cb6b63b0N.exe 106 PID 1356 wrote to memory of 1464 1356 46416f8b447247d8415d6711cb6b63b0N.exe 107 PID 1356 wrote to memory of 1464 1356 46416f8b447247d8415d6711cb6b63b0N.exe 107 PID 1356 wrote to memory of 1464 1356 46416f8b447247d8415d6711cb6b63b0N.exe 107 PID 1464 wrote to memory of 3348 1464 cmd.exe 112 PID 1464 wrote to memory of 3348 1464 cmd.exe 112 PID 1464 wrote to memory of 3348 1464 cmd.exe 112 PID 4292 wrote to memory of 3160 4292 46416f8b447247d8415d6711cb6b63b0N.exe 113 PID 4292 wrote to memory of 3160 4292 46416f8b447247d8415d6711cb6b63b0N.exe 113 PID 4292 wrote to memory of 3160 4292 46416f8b447247d8415d6711cb6b63b0N.exe 113 PID 3160 wrote to memory of 1088 3160 cmd.exe 115 PID 3160 wrote to memory of 1088 3160 cmd.exe 115 PID 3160 wrote to memory of 1088 3160 cmd.exe 115 PID 4292 wrote to memory of 1312 4292 46416f8b447247d8415d6711cb6b63b0N.exe 116 PID 4292 wrote to memory of 1312 4292 46416f8b447247d8415d6711cb6b63b0N.exe 116 PID 4292 wrote to memory of 1312 4292 46416f8b447247d8415d6711cb6b63b0N.exe 116 PID 4292 wrote to memory of 3756 4292 46416f8b447247d8415d6711cb6b63b0N.exe 117 PID 4292 wrote to memory of 3756 4292 46416f8b447247d8415d6711cb6b63b0N.exe 117 PID 4292 wrote to memory of 3756 4292 46416f8b447247d8415d6711cb6b63b0N.exe 117 PID 4292 wrote to memory of 1704 4292 46416f8b447247d8415d6711cb6b63b0N.exe 118 PID 4292 wrote to memory of 1704 4292 46416f8b447247d8415d6711cb6b63b0N.exe 118 PID 4292 wrote to memory of 1704 4292 46416f8b447247d8415d6711cb6b63b0N.exe 118 PID 4292 wrote to memory of 692 4292 46416f8b447247d8415d6711cb6b63b0N.exe 119
Processes
-
C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N.exe"C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Users\Admin\rAcAsQUI\VUYQgMAs.exe"C:\Users\Admin\rAcAsQUI\VUYQgMAs.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3472
-
-
C:\ProgramData\AiUkEEMw\iCEIkMAM.exe"C:\ProgramData\AiUkEEMw\iCEIkMAM.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:3236
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N"2⤵
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N.exeC:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N"4⤵
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N.exeC:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N"6⤵
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N.exeC:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N7⤵
- Suspicious behavior: EnumeratesProcesses
PID:1088 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N"8⤵PID:3920
-
C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N.exeC:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N9⤵
- Suspicious behavior: EnumeratesProcesses
PID:4796 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N"10⤵PID:4736
-
C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N.exeC:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N11⤵
- Suspicious behavior: EnumeratesProcesses
PID:4552 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N"12⤵PID:5084
-
C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N.exeC:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N13⤵
- Suspicious behavior: EnumeratesProcesses
PID:2136 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N"14⤵PID:3244
-
C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N.exeC:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N15⤵
- Suspicious behavior: EnumeratesProcesses
PID:1384 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N"16⤵PID:4456
-
C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N.exeC:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N17⤵
- Suspicious behavior: EnumeratesProcesses
PID:536 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N"18⤵PID:1528
-
C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N.exeC:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N19⤵
- Suspicious behavior: EnumeratesProcesses
PID:3444 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N"20⤵PID:3380
-
C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N.exeC:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N21⤵
- Suspicious behavior: EnumeratesProcesses
PID:2308 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N"22⤵PID:5064
-
C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N.exeC:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N23⤵
- Suspicious behavior: EnumeratesProcesses
PID:3008 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N"24⤵
- System Location Discovery: System Language Discovery
PID:2744 -
C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N.exeC:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N25⤵
- Suspicious behavior: EnumeratesProcesses
PID:448 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N"26⤵PID:548
-
C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N.exeC:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N27⤵
- Suspicious behavior: EnumeratesProcesses
PID:316 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N"28⤵PID:4508
-
C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N.exeC:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N29⤵
- Suspicious behavior: EnumeratesProcesses
PID:2328 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N"30⤵PID:2312
-
C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N.exeC:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N31⤵
- Suspicious behavior: EnumeratesProcesses
PID:1316 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N"32⤵
- System Location Discovery: System Language Discovery
PID:1968 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV133⤵PID:1016
-
-
C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N.exeC:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N33⤵PID:4136
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N"34⤵PID:4660
-
C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N.exeC:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N35⤵PID:1948
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N"36⤵PID:1692
-
C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N.exeC:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N37⤵PID:4900
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N"38⤵PID:4000
-
C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N.exeC:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N39⤵PID:428
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N"40⤵PID:2064
-
C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N.exeC:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N41⤵PID:2124
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N"42⤵PID:64
-
C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N.exeC:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N43⤵
- System Location Discovery: System Language Discovery
PID:4236 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N"44⤵PID:3864
-
C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N.exeC:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N45⤵PID:548
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N"46⤵PID:1860
-
C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N.exeC:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N47⤵PID:1456
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N"48⤵PID:760
-
C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N.exeC:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N49⤵PID:3996
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N"50⤵PID:5024
-
C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N.exeC:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N51⤵PID:2716
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N"52⤵PID:2604
-
C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N.exeC:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N53⤵PID:3160
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N"54⤵PID:3284
-
C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N.exeC:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N55⤵PID:3308
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N"56⤵PID:1584
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV157⤵PID:1456
-
-
C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N.exeC:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N57⤵PID:1624
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N"58⤵
- System Location Discovery: System Language Discovery
PID:4868 -
C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N.exeC:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N59⤵PID:2040
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N"60⤵PID:3100
-
C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N.exeC:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N61⤵PID:2828
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N"62⤵PID:388
-
C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N.exeC:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N63⤵PID:2164
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N"64⤵PID:2412
-
C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N.exeC:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N65⤵
- System Location Discovery: System Language Discovery
PID:1764 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N"66⤵
- System Location Discovery: System Language Discovery
PID:4800 -
C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N.exeC:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N67⤵PID:2268
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N"68⤵PID:3244
-
C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N.exeC:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N69⤵PID:4868
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N"70⤵PID:3888
-
C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N.exeC:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N71⤵PID:3260
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N"72⤵PID:3160
-
C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N.exeC:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N73⤵PID:1000
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N"74⤵PID:2488
-
C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N.exeC:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N75⤵PID:4992
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N"76⤵PID:1464
-
C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N.exeC:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N77⤵PID:1916
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N"78⤵PID:4348
-
C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N.exeC:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N79⤵PID:2828
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N"80⤵PID:1220
-
C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N.exeC:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N81⤵PID:3596
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N"82⤵PID:4652
-
C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N.exeC:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N83⤵PID:4508
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N"84⤵
- System Location Discovery: System Language Discovery
PID:968 -
C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N.exeC:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N85⤵PID:5064
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N"86⤵PID:3864
-
C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N.exeC:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N87⤵PID:4252
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N"88⤵
- System Location Discovery: System Language Discovery
PID:2136 -
C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N.exeC:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N89⤵
- System Location Discovery: System Language Discovery
PID:4356 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N"90⤵PID:3888
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV191⤵PID:3596
-
-
C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N.exeC:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N91⤵PID:1548
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N"92⤵PID:3564
-
C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N.exeC:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N93⤵
- System Location Discovery: System Language Discovery
PID:1596 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N"94⤵PID:4040
-
C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N.exeC:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N95⤵PID:2256
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N"96⤵PID:1016
-
C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N.exeC:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N97⤵
- System Location Discovery: System Language Discovery
PID:5044 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N"98⤵
- System Location Discovery: System Language Discovery
PID:4356 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV199⤵PID:4564
-
-
C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N.exeC:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N99⤵PID:1000
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N"100⤵PID:2344
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1101⤵PID:1548
-
-
C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N.exeC:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N101⤵PID:1008
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N"102⤵PID:3052
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1103⤵PID:4452
-
-
C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N.exeC:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N103⤵PID:1464
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N"104⤵PID:2256
-
C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N.exeC:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N105⤵PID:3008
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N"106⤵PID:404
-
C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N.exeC:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N107⤵PID:4152
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N"108⤵PID:4516
-
C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N.exeC:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N109⤵PID:2880
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N"110⤵PID:4324
-
C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N.exeC:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N111⤵PID:2976
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N"112⤵PID:4464
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1113⤵PID:620
-
-
C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N.exeC:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N113⤵PID:2036
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N"114⤵PID:1140
-
C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N.exeC:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N115⤵
- System Location Discovery: System Language Discovery
PID:396 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N"116⤵PID:3120
-
C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N.exeC:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N117⤵PID:3624
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N"118⤵PID:1048
-
C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N.exeC:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N119⤵PID:2524
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N"120⤵PID:4292
-
C:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N.exeC:\Users\Admin\AppData\Local\Temp\46416f8b447247d8415d6711cb6b63b0N121⤵PID:2476
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-