Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-10-2024 02:40
Static task
static1
Behavioral task
behavioral1
Sample
7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe
Resource
win10v2004-20241007-en
General
-
Target
7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe
-
Size
481KB
-
MD5
3d22785820fa2733e027f971636c7d50
-
SHA1
611e564956d956ba3b6f8dd3ef6b3bc7cff8fc2c
-
SHA256
7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591b
-
SHA512
c5b0f1ff044ff958a515569fec24849e4c46b242472caf2ae4f3a1e6abbbaa9611e23f4048236aab04c2eabd4c36f53efd5c388838b754a16844791fd02dcf84
-
SSDEEP
12288:Z8XyCT1pYLsyss98S5GtpQ9MM0Vy/YWhDjdmfxD2WTq:+BT4YMO59y/vljuJT
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Renames multiple (76) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\International\Geo\Nation DGQIEEQU.exe -
Executes dropped EXE 3 IoCs
pid Process 2756 KGAQwQEs.exe 2704 DGQIEEQU.exe 2556 pSoMwskA.exe -
Loads dropped DLL 22 IoCs
pid Process 2196 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 2196 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 2196 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 2196 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 7 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\YigQsUoE.exe = "C:\\ProgramData\\KcEsUAsg\\YigQsUoE.exe" 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\KGAQwQEs.exe = "C:\\Users\\Admin\\mkcUkYkA\\KGAQwQEs.exe" 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DGQIEEQU.exe = "C:\\ProgramData\\YKcAIoYs\\DGQIEEQU.exe" 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\KGAQwQEs.exe = "C:\\Users\\Admin\\mkcUkYkA\\KGAQwQEs.exe" KGAQwQEs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DGQIEEQU.exe = "C:\\ProgramData\\YKcAIoYs\\DGQIEEQU.exe" DGQIEEQU.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DGQIEEQU.exe = "C:\\ProgramData\\YKcAIoYs\\DGQIEEQU.exe" pSoMwskA.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\wogYwAcY.exe = "C:\\Users\\Admin\\bsgUEsgQ\\wogYwAcY.exe" 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\mkcUkYkA pSoMwskA.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\mkcUkYkA\KGAQwQEs pSoMwskA.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
pid pid_target Process procid_target 2400 2944 WerFault.exe 177 1640 2376 WerFault.exe 179 2952 1560 WerFault.exe 181 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pSoMwskA.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 64 IoCs
pid Process 2012 reg.exe 2652 reg.exe 1168 reg.exe 2796 reg.exe 2180 reg.exe 1896 reg.exe 1772 reg.exe 1720 reg.exe 2208 reg.exe 2352 reg.exe 780 reg.exe 2016 reg.exe 2436 reg.exe 872 reg.exe 2844 reg.exe 1804 reg.exe 1628 reg.exe 1668 reg.exe 2668 reg.exe 448 reg.exe 2028 reg.exe 2060 reg.exe 2428 reg.exe 608 reg.exe 2860 reg.exe 1308 reg.exe 2596 reg.exe 1640 reg.exe 2676 reg.exe 2736 reg.exe 1088 reg.exe 2092 reg.exe 2036 reg.exe 1992 reg.exe 2672 reg.exe 400 reg.exe 2668 reg.exe 3040 reg.exe 2596 reg.exe 2488 reg.exe 292 reg.exe 2800 reg.exe 840 reg.exe 1404 reg.exe 2964 reg.exe 2740 reg.exe 2104 reg.exe 1280 reg.exe 2336 reg.exe 1260 reg.exe 1956 reg.exe 888 reg.exe 1072 reg.exe 984 reg.exe 2964 reg.exe 2464 reg.exe 316 reg.exe 1916 reg.exe 1568 reg.exe 2152 reg.exe 1724 reg.exe 1348 reg.exe 1292 reg.exe 2440 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2196 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 2196 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 2600 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 2600 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 2956 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 2956 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 2304 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 2304 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 2984 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 2984 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 1404 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 1404 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 2424 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 2424 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 2668 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 2668 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 1372 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 1372 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 2980 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 2980 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 3068 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 3068 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 876 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 876 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 1988 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 1988 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 2828 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 2828 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 2100 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 2100 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 1692 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 1692 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 2776 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 2776 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 1756 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 1756 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 1944 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 1944 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 536 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 536 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 1676 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 1676 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 2696 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 2696 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 1940 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 1940 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 2004 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 2004 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 2060 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 2060 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 1472 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 1472 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 2848 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 2848 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 1652 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 1652 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 1476 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 1476 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 1448 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 1448 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 448 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 448 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 2328 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 2328 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2704 DGQIEEQU.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe 2704 DGQIEEQU.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2196 wrote to memory of 2756 2196 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 30 PID 2196 wrote to memory of 2756 2196 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 30 PID 2196 wrote to memory of 2756 2196 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 30 PID 2196 wrote to memory of 2756 2196 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 30 PID 2196 wrote to memory of 2704 2196 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 31 PID 2196 wrote to memory of 2704 2196 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 31 PID 2196 wrote to memory of 2704 2196 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 31 PID 2196 wrote to memory of 2704 2196 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 31 PID 2196 wrote to memory of 2544 2196 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 33 PID 2196 wrote to memory of 2544 2196 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 33 PID 2196 wrote to memory of 2544 2196 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 33 PID 2196 wrote to memory of 2544 2196 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 33 PID 2544 wrote to memory of 2600 2544 cmd.exe 35 PID 2544 wrote to memory of 2600 2544 cmd.exe 35 PID 2544 wrote to memory of 2600 2544 cmd.exe 35 PID 2544 wrote to memory of 2600 2544 cmd.exe 35 PID 2196 wrote to memory of 2668 2196 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 36 PID 2196 wrote to memory of 2668 2196 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 36 PID 2196 wrote to memory of 2668 2196 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 36 PID 2196 wrote to memory of 2668 2196 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 36 PID 2196 wrote to memory of 3040 2196 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 37 PID 2196 wrote to memory of 3040 2196 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 37 PID 2196 wrote to memory of 3040 2196 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 37 PID 2196 wrote to memory of 3040 2196 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 37 PID 2196 wrote to memory of 2596 2196 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 39 PID 2196 wrote to memory of 2596 2196 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 39 PID 2196 wrote to memory of 2596 2196 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 39 PID 2196 wrote to memory of 2596 2196 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 39 PID 2600 wrote to memory of 1872 2600 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 42 PID 2600 wrote to memory of 1872 2600 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 42 PID 2600 wrote to memory of 1872 2600 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 42 PID 2600 wrote to memory of 1872 2600 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 42 PID 1872 wrote to memory of 2956 1872 cmd.exe 44 PID 1872 wrote to memory of 2956 1872 cmd.exe 44 PID 1872 wrote to memory of 2956 1872 cmd.exe 44 PID 1872 wrote to memory of 2956 1872 cmd.exe 44 PID 2600 wrote to memory of 2392 2600 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 45 PID 2600 wrote to memory of 2392 2600 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 45 PID 2600 wrote to memory of 2392 2600 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 45 PID 2600 wrote to memory of 2392 2600 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 45 PID 2600 wrote to memory of 2252 2600 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 46 PID 2600 wrote to memory of 2252 2600 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 46 PID 2600 wrote to memory of 2252 2600 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 46 PID 2600 wrote to memory of 2252 2600 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 46 PID 2600 wrote to memory of 2148 2600 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 47 PID 2600 wrote to memory of 2148 2600 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 47 PID 2600 wrote to memory of 2148 2600 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 47 PID 2600 wrote to memory of 2148 2600 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 47 PID 2600 wrote to memory of 2896 2600 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 49 PID 2600 wrote to memory of 2896 2600 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 49 PID 2600 wrote to memory of 2896 2600 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 49 PID 2600 wrote to memory of 2896 2600 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 49 PID 2896 wrote to memory of 1996 2896 cmd.exe 53 PID 2896 wrote to memory of 1996 2896 cmd.exe 53 PID 2896 wrote to memory of 1996 2896 cmd.exe 53 PID 2896 wrote to memory of 1996 2896 cmd.exe 53 PID 2956 wrote to memory of 2016 2956 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 54 PID 2956 wrote to memory of 2016 2956 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 54 PID 2956 wrote to memory of 2016 2956 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 54 PID 2956 wrote to memory of 2016 2956 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 54 PID 2016 wrote to memory of 2304 2016 cmd.exe 56 PID 2016 wrote to memory of 2304 2016 cmd.exe 56 PID 2016 wrote to memory of 2304 2016 cmd.exe 56 PID 2016 wrote to memory of 2304 2016 cmd.exe 56
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe"C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Users\Admin\mkcUkYkA\KGAQwQEs.exe"C:\Users\Admin\mkcUkYkA\KGAQwQEs.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2756
-
-
C:\ProgramData\YKcAIoYs\DGQIEEQU.exe"C:\ProgramData\YKcAIoYs\DGQIEEQU.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:2704
-
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"2⤵
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"4⤵
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"6⤵
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN7⤵
- Suspicious behavior: EnumeratesProcesses
PID:2304 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"8⤵PID:1892
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN9⤵
- Suspicious behavior: EnumeratesProcesses
PID:2984 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"10⤵
- System Location Discovery: System Language Discovery
PID:1528 -
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN11⤵
- Suspicious behavior: EnumeratesProcesses
PID:1404 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"12⤵PID:1756
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN13⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2424 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"14⤵PID:1360
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN15⤵
- Suspicious behavior: EnumeratesProcesses
PID:2668 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"16⤵PID:840
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN17⤵
- Suspicious behavior: EnumeratesProcesses
PID:1372 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"18⤵PID:2108
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN19⤵
- Suspicious behavior: EnumeratesProcesses
PID:2980 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"20⤵PID:1624
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN21⤵
- Suspicious behavior: EnumeratesProcesses
PID:3068 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"22⤵PID:2644
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN23⤵
- Suspicious behavior: EnumeratesProcesses
PID:876 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"24⤵PID:2660
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN25⤵
- Adds Run key to start application
PID:1724 -
C:\Users\Admin\bsgUEsgQ\wogYwAcY.exe"C:\Users\Admin\bsgUEsgQ\wogYwAcY.exe"26⤵PID:2944
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 8827⤵
- Program crash
PID:2400
-
-
-
C:\ProgramData\KcEsUAsg\YigQsUoE.exe"C:\ProgramData\KcEsUAsg\YigQsUoE.exe"26⤵PID:2376
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 9227⤵
- Program crash
PID:1640
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"26⤵PID:1096
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN27⤵
- Suspicious behavior: EnumeratesProcesses
PID:1988 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"28⤵PID:1568
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN29⤵
- Suspicious behavior: EnumeratesProcesses
PID:2828 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"30⤵PID:448
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN31⤵
- Suspicious behavior: EnumeratesProcesses
PID:2100 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"32⤵PID:1716
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN33⤵
- Suspicious behavior: EnumeratesProcesses
PID:1692 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"34⤵PID:2948
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN35⤵
- Suspicious behavior: EnumeratesProcesses
PID:2776 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"36⤵PID:2244
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN37⤵
- Suspicious behavior: EnumeratesProcesses
PID:1756 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"38⤵PID:1504
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN39⤵
- Suspicious behavior: EnumeratesProcesses
PID:1944 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"40⤵PID:1696
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN41⤵
- Suspicious behavior: EnumeratesProcesses
PID:536 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"42⤵PID:1804
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN43⤵
- Suspicious behavior: EnumeratesProcesses
PID:1676 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"44⤵PID:1812
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN45⤵
- Suspicious behavior: EnumeratesProcesses
PID:2696 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"46⤵PID:1404
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN47⤵
- Suspicious behavior: EnumeratesProcesses
PID:1940 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"48⤵PID:952
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN49⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2004 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"50⤵PID:2988
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN51⤵
- Suspicious behavior: EnumeratesProcesses
PID:2060 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"52⤵PID:1584
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN53⤵
- Suspicious behavior: EnumeratesProcesses
PID:1472 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"54⤵PID:752
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN55⤵
- Suspicious behavior: EnumeratesProcesses
PID:2848 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"56⤵PID:2888
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN57⤵
- Suspicious behavior: EnumeratesProcesses
PID:1652 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"58⤵
- System Location Discovery: System Language Discovery
PID:1584 -
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN59⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1476 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"60⤵PID:1712
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN61⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1448 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"62⤵PID:1168
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN63⤵
- Suspicious behavior: EnumeratesProcesses
PID:448 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"64⤵
- System Location Discovery: System Language Discovery
PID:3000 -
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN65⤵
- Suspicious behavior: EnumeratesProcesses
PID:2328 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"66⤵PID:1716
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN67⤵PID:1708
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"68⤵PID:1396
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN69⤵PID:2688
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"70⤵PID:1472
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN71⤵PID:2940
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"72⤵PID:340
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN73⤵PID:296
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"74⤵PID:2888
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN75⤵PID:1396
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"76⤵PID:1196
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN77⤵PID:2288
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"78⤵PID:1916
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN79⤵PID:1568
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"80⤵PID:304
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN81⤵PID:3044
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"82⤵PID:2964
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN83⤵PID:2136
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"84⤵PID:1280
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN85⤵PID:2340
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"86⤵PID:2596
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN87⤵PID:656
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"88⤵PID:1936
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN89⤵PID:3064
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"90⤵PID:1708
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN91⤵PID:408
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"92⤵PID:1292
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN93⤵PID:2828
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"94⤵PID:748
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN95⤵PID:2592
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"96⤵
- System Location Discovery: System Language Discovery
PID:2536 -
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN97⤵PID:1720
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"98⤵PID:2648
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN99⤵PID:1732
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"100⤵PID:876
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN101⤵PID:2100
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"102⤵PID:2940
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN103⤵PID:1712
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"104⤵PID:2244
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN105⤵PID:2036
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"106⤵PID:2120
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN107⤵PID:1572
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"108⤵PID:316
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN109⤵PID:2592
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"110⤵PID:3036
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN111⤵PID:2964
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"112⤵PID:2976
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN113⤵PID:1892
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"114⤵PID:1344
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN115⤵
- System Location Discovery: System Language Discovery
PID:2104 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"116⤵PID:2492
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN117⤵PID:2728
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"118⤵PID:904
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN119⤵PID:1952
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"120⤵
- System Location Discovery: System Language Discovery
PID:2112 -
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN121⤵PID:1628
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"122⤵PID:1684
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-