Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-10-2024 02:40
Static task
static1
Behavioral task
behavioral1
Sample
7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe
Resource
win10v2004-20241007-en
General
-
Target
7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe
-
Size
481KB
-
MD5
3d22785820fa2733e027f971636c7d50
-
SHA1
611e564956d956ba3b6f8dd3ef6b3bc7cff8fc2c
-
SHA256
7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591b
-
SHA512
c5b0f1ff044ff958a515569fec24849e4c46b242472caf2ae4f3a1e6abbbaa9611e23f4048236aab04c2eabd4c36f53efd5c388838b754a16844791fd02dcf84
-
SSDEEP
12288:Z8XyCT1pYLsyss98S5GtpQ9MM0Vy/YWhDjdmfxD2WTq:+BT4YMO59y/vljuJT
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Renames multiple (52) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation YUgQMkcI.exe -
Executes dropped EXE 3 IoCs
pid Process 3728 YUgQMkcI.exe 4476 QuYEoUUs.exe 4560 AMAkoQUc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 7 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YUgQMkcI.exe = "C:\\Users\\Admin\\bgMQIwoo\\YUgQMkcI.exe" 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\QuYEoUUs.exe = "C:\\ProgramData\\WCwgcgww\\QuYEoUUs.exe" 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YUgQMkcI.exe = "C:\\Users\\Admin\\bgMQIwoo\\YUgQMkcI.exe" YUgQMkcI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\QuYEoUUs.exe = "C:\\ProgramData\\WCwgcgww\\QuYEoUUs.exe" QuYEoUUs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\QuYEoUUs.exe = "C:\\ProgramData\\WCwgcgww\\QuYEoUUs.exe" AMAkoQUc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bAIksggA.exe = "C:\\Users\\Admin\\IWkYMYcQ\\bAIksggA.exe" 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eWMwoIIE.exe = "C:\\ProgramData\\resAEcUc\\eWMwoIIE.exe" 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\bgMQIwoo\YUgQMkcI AMAkoQUc.exe File opened for modification C:\Windows\SysWOW64\sheInitializeLock.docx YUgQMkcI.exe File opened for modification C:\Windows\SysWOW64\sheJoinOptimize.docx YUgQMkcI.exe File opened for modification C:\Windows\SysWOW64\shePingUnblock.png YUgQMkcI.exe File opened for modification C:\Windows\SysWOW64\sheReceiveConvertTo.xlsx YUgQMkcI.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\bgMQIwoo AMAkoQUc.exe File created C:\Windows\SysWOW64\shell32.dll.exe YUgQMkcI.exe File opened for modification C:\Windows\SysWOW64\sheSendRename.wma YUgQMkcI.exe File opened for modification C:\Windows\SysWOW64\sheSwitchNew.mp3 YUgQMkcI.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
pid pid_target Process procid_target 2320 4956 WerFault.exe 149 3176 3372 WerFault.exe 147 2068 4028 WerFault.exe 150 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry key 1 TTPs 64 IoCs
pid Process 2392 reg.exe 228 reg.exe 1604 reg.exe 3904 reg.exe 4800 reg.exe 4100 reg.exe 1964 reg.exe 4880 reg.exe 3132 reg.exe 836 reg.exe 3884 reg.exe 3388 reg.exe 3444 reg.exe 1136 reg.exe 4236 reg.exe 3496 reg.exe 2392 reg.exe 4884 reg.exe 3396 reg.exe 2200 reg.exe 228 reg.exe 3912 reg.exe 4616 reg.exe 2188 reg.exe 2324 reg.exe 2364 reg.exe 2176 reg.exe 4460 reg.exe 1772 reg.exe 4368 reg.exe 3216 reg.exe 844 reg.exe 2144 reg.exe 3904 reg.exe 4112 reg.exe 3436 reg.exe 1664 reg.exe 1548 reg.exe 4588 reg.exe 3508 reg.exe 3612 reg.exe 2776 reg.exe 5084 reg.exe 4712 reg.exe 3480 reg.exe 4732 reg.exe 4440 reg.exe 3092 reg.exe 2100 reg.exe 4452 reg.exe 1076 reg.exe 2892 reg.exe 2544 reg.exe 928 reg.exe 3372 reg.exe 4904 reg.exe 520 reg.exe 3884 reg.exe 3284 reg.exe 1428 reg.exe 2364 reg.exe 4488 reg.exe 4244 reg.exe 3312 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4452 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 4452 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 4452 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 4452 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 3472 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 3472 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 3472 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 3472 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 2216 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 2216 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 2216 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 2216 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 1404 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 1404 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 1404 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 1404 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 3696 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 3696 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 3696 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 3696 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 2172 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 2172 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 2172 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 2172 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 4736 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 4736 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 4736 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 4736 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 2144 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 2144 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 2144 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 2144 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 2792 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 2792 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 2792 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 2792 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 3100 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 3100 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 3100 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 3100 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 1240 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 1240 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 1240 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 1240 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 3396 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 3396 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 3396 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 3396 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 2612 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 2612 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 2612 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 2612 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 2528 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 2528 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 2528 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 2528 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 3040 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 3040 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 3040 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 3040 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 1944 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 1944 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 1944 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 1944 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3728 YUgQMkcI.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3728 YUgQMkcI.exe 3728 YUgQMkcI.exe 3728 YUgQMkcI.exe 3728 YUgQMkcI.exe 3728 YUgQMkcI.exe 3728 YUgQMkcI.exe 3728 YUgQMkcI.exe 3728 YUgQMkcI.exe 3728 YUgQMkcI.exe 3728 YUgQMkcI.exe 3728 YUgQMkcI.exe 3728 YUgQMkcI.exe 3728 YUgQMkcI.exe 3728 YUgQMkcI.exe 3728 YUgQMkcI.exe 3728 YUgQMkcI.exe 3728 YUgQMkcI.exe 3728 YUgQMkcI.exe 3728 YUgQMkcI.exe 3728 YUgQMkcI.exe 3728 YUgQMkcI.exe 3728 YUgQMkcI.exe 3728 YUgQMkcI.exe 3728 YUgQMkcI.exe 3728 YUgQMkcI.exe 3728 YUgQMkcI.exe 3728 YUgQMkcI.exe 3728 YUgQMkcI.exe 3728 YUgQMkcI.exe 3728 YUgQMkcI.exe 3728 YUgQMkcI.exe 3728 YUgQMkcI.exe 3728 YUgQMkcI.exe 3728 YUgQMkcI.exe 3728 YUgQMkcI.exe 3728 YUgQMkcI.exe 3728 YUgQMkcI.exe 3728 YUgQMkcI.exe 3728 YUgQMkcI.exe 3728 YUgQMkcI.exe 3728 YUgQMkcI.exe 3728 YUgQMkcI.exe 3728 YUgQMkcI.exe 3728 YUgQMkcI.exe 3728 YUgQMkcI.exe 3728 YUgQMkcI.exe 3728 YUgQMkcI.exe 3728 YUgQMkcI.exe 3728 YUgQMkcI.exe 3728 YUgQMkcI.exe 3728 YUgQMkcI.exe 3728 YUgQMkcI.exe 3728 YUgQMkcI.exe 3728 YUgQMkcI.exe 3728 YUgQMkcI.exe 3728 YUgQMkcI.exe 3728 YUgQMkcI.exe 3728 YUgQMkcI.exe 3728 YUgQMkcI.exe 3728 YUgQMkcI.exe 3728 YUgQMkcI.exe 3728 YUgQMkcI.exe 3728 YUgQMkcI.exe 3728 YUgQMkcI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4452 wrote to memory of 3728 4452 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 86 PID 4452 wrote to memory of 3728 4452 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 86 PID 4452 wrote to memory of 3728 4452 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 86 PID 4452 wrote to memory of 4476 4452 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 88 PID 4452 wrote to memory of 4476 4452 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 88 PID 4452 wrote to memory of 4476 4452 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 88 PID 4452 wrote to memory of 4268 4452 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 90 PID 4452 wrote to memory of 4268 4452 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 90 PID 4452 wrote to memory of 4268 4452 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 90 PID 4268 wrote to memory of 3472 4268 cmd.exe 92 PID 4268 wrote to memory of 3472 4268 cmd.exe 92 PID 4268 wrote to memory of 3472 4268 cmd.exe 92 PID 4452 wrote to memory of 2200 4452 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 93 PID 4452 wrote to memory of 2200 4452 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 93 PID 4452 wrote to memory of 2200 4452 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 93 PID 4452 wrote to memory of 4588 4452 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 94 PID 4452 wrote to memory of 4588 4452 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 94 PID 4452 wrote to memory of 4588 4452 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 94 PID 4452 wrote to memory of 2612 4452 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 95 PID 4452 wrote to memory of 2612 4452 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 95 PID 4452 wrote to memory of 2612 4452 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 95 PID 3472 wrote to memory of 3496 3472 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 99 PID 3472 wrote to memory of 3496 3472 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 99 PID 3472 wrote to memory of 3496 3472 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 99 PID 3496 wrote to memory of 2216 3496 cmd.exe 101 PID 3496 wrote to memory of 2216 3496 cmd.exe 101 PID 3496 wrote to memory of 2216 3496 cmd.exe 101 PID 3472 wrote to memory of 4460 3472 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 102 PID 3472 wrote to memory of 4460 3472 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 102 PID 3472 wrote to memory of 4460 3472 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 102 PID 3472 wrote to memory of 2976 3472 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 103 PID 3472 wrote to memory of 2976 3472 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 103 PID 3472 wrote to memory of 2976 3472 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 103 PID 3472 wrote to memory of 4924 3472 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 104 PID 3472 wrote to memory of 4924 3472 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 104 PID 3472 wrote to memory of 4924 3472 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 104 PID 3472 wrote to memory of 3312 3472 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 105 PID 3472 wrote to memory of 3312 3472 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 105 PID 3472 wrote to memory of 3312 3472 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 105 PID 3312 wrote to memory of 1164 3312 cmd.exe 110 PID 3312 wrote to memory of 1164 3312 cmd.exe 110 PID 3312 wrote to memory of 1164 3312 cmd.exe 110 PID 2216 wrote to memory of 1312 2216 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 111 PID 2216 wrote to memory of 1312 2216 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 111 PID 2216 wrote to memory of 1312 2216 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 111 PID 1312 wrote to memory of 1404 1312 cmd.exe 113 PID 1312 wrote to memory of 1404 1312 cmd.exe 113 PID 1312 wrote to memory of 1404 1312 cmd.exe 113 PID 2216 wrote to memory of 228 2216 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 114 PID 2216 wrote to memory of 228 2216 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 114 PID 2216 wrote to memory of 228 2216 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 114 PID 2216 wrote to memory of 2424 2216 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 115 PID 2216 wrote to memory of 2424 2216 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 115 PID 2216 wrote to memory of 2424 2216 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 115 PID 2216 wrote to memory of 2776 2216 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 116 PID 2216 wrote to memory of 2776 2216 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 116 PID 2216 wrote to memory of 2776 2216 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 116 PID 2216 wrote to memory of 4668 2216 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 117 PID 2216 wrote to memory of 4668 2216 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 117 PID 2216 wrote to memory of 4668 2216 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 117 PID 4668 wrote to memory of 2228 4668 cmd.exe 122 PID 4668 wrote to memory of 2228 4668 cmd.exe 122 PID 4668 wrote to memory of 2228 4668 cmd.exe 122 PID 1404 wrote to memory of 1964 1404 7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe 194
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe"C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe"C:\Users\Admin\bgMQIwoo\YUgQMkcI.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:3728
-
-
C:\ProgramData\WCwgcgww\QuYEoUUs.exe"C:\ProgramData\WCwgcgww\QuYEoUUs.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4476
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"4⤵
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"6⤵
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN7⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"8⤵PID:1964
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN9⤵
- Suspicious behavior: EnumeratesProcesses
PID:3696 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"10⤵PID:2676
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN11⤵
- Adds Run key to start application
PID:3924 -
C:\Users\Admin\IWkYMYcQ\bAIksggA.exe"C:\Users\Admin\IWkYMYcQ\bAIksggA.exe"12⤵PID:3372
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 37613⤵
- Program crash
PID:3176
-
-
-
C:\ProgramData\resAEcUc\eWMwoIIE.exe"C:\ProgramData\resAEcUc\eWMwoIIE.exe"12⤵PID:4956
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4956 -s 22413⤵
- Program crash
PID:2320
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"12⤵PID:3168
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN13⤵
- Suspicious behavior: EnumeratesProcesses
PID:2172 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"14⤵PID:3396
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN15⤵
- Suspicious behavior: EnumeratesProcesses
PID:4736 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"16⤵PID:3304
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN17⤵
- Suspicious behavior: EnumeratesProcesses
PID:2144 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"18⤵PID:632
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV119⤵PID:3696
-
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN19⤵
- Suspicious behavior: EnumeratesProcesses
PID:2792 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"20⤵PID:3884
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN21⤵
- Suspicious behavior: EnumeratesProcesses
PID:3100 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"22⤵PID:1476
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN23⤵
- Suspicious behavior: EnumeratesProcesses
PID:1240 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"24⤵PID:2436
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN25⤵
- Suspicious behavior: EnumeratesProcesses
PID:3396 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"26⤵PID:2336
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN27⤵
- Suspicious behavior: EnumeratesProcesses
PID:2612 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"28⤵PID:4164
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN29⤵
- Suspicious behavior: EnumeratesProcesses
PID:2528 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"30⤵PID:3312
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN31⤵
- Suspicious behavior: EnumeratesProcesses
PID:3040 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"32⤵PID:4176
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN33⤵
- Suspicious behavior: EnumeratesProcesses
PID:1944 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"34⤵PID:4056
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV135⤵PID:2792
-
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN35⤵
- System Location Discovery: System Language Discovery
PID:2692 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"36⤵PID:1280
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN37⤵
- System Location Discovery: System Language Discovery
PID:4236 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"38⤵PID:3028
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN39⤵PID:3756
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"40⤵PID:2116
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN41⤵PID:4868
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"42⤵PID:2928
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN43⤵PID:640
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"44⤵
- System Location Discovery: System Language Discovery
PID:1676 -
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN45⤵PID:2180
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"46⤵PID:2104
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN47⤵PID:1540
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"48⤵PID:4704
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV149⤵PID:2172
-
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN49⤵PID:3736
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"50⤵
- System Location Discovery: System Language Discovery
PID:2384 -
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN51⤵
- System Location Discovery: System Language Discovery
PID:3972 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"52⤵
- System Location Discovery: System Language Discovery
PID:536 -
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN53⤵PID:4648
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"54⤵PID:5000
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN55⤵PID:1656
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"56⤵PID:532
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN57⤵PID:2232
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"58⤵
- System Location Discovery: System Language Discovery
PID:2436 -
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN59⤵PID:5060
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"60⤵PID:4276
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN61⤵PID:2892
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"62⤵
- System Location Discovery: System Language Discovery
PID:1872 -
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN63⤵PID:2392
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"64⤵PID:1728
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN65⤵PID:2652
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"66⤵
- System Location Discovery: System Language Discovery
PID:2740 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV167⤵PID:4868
-
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN67⤵PID:2100
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"68⤵PID:4088
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN69⤵PID:4668
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"70⤵PID:3132
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN71⤵PID:3136
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"72⤵PID:5068
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN73⤵
- System Location Discovery: System Language Discovery
PID:3744 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"74⤵PID:3612
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN75⤵PID:4716
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"76⤵PID:4268
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN77⤵PID:3336
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"78⤵PID:4128
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN79⤵
- System Location Discovery: System Language Discovery
PID:1432 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"80⤵PID:3556
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV181⤵PID:4812
-
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN81⤵
- System Location Discovery: System Language Discovery
PID:4616 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"82⤵
- System Location Discovery: System Language Discovery
PID:2196 -
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN83⤵PID:3740
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"84⤵PID:1372
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN85⤵PID:2068
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"86⤵PID:5012
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN87⤵PID:4520
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"88⤵PID:4080
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN89⤵PID:4388
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"90⤵PID:2232
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN91⤵PID:5000
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"92⤵PID:4836
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN93⤵PID:4956
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"94⤵PID:2116
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN95⤵PID:64
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"96⤵PID:4388
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN97⤵PID:4616
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"98⤵PID:3260
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV199⤵PID:4748
-
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN99⤵PID:1964
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"100⤵PID:2364
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN101⤵PID:3292
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"102⤵PID:1376
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN103⤵PID:5036
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"104⤵PID:2100
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN105⤵
- System Location Discovery: System Language Discovery
PID:2108 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"106⤵
- System Location Discovery: System Language Discovery
PID:3132 -
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN107⤵PID:3752
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"108⤵
- System Location Discovery: System Language Discovery
PID:4552 -
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN109⤵PID:3480
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"110⤵
- System Location Discovery: System Language Discovery
PID:5080 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1111⤵PID:5000
-
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN111⤵PID:1376
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"112⤵PID:4704
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1113⤵PID:2108
-
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN113⤵PID:4884
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"114⤵PID:4296
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1115⤵PID:4828
-
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN115⤵PID:3184
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"116⤵PID:4164
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN117⤵PID:2400
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"118⤵PID:436
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1119⤵PID:4616
-
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN119⤵PID:1080
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"120⤵PID:2728
-
C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN.exeC:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN121⤵PID:1704
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\7d24e0358eb5dc53edb222858d7b6ceff90d5dd7fa735f604637e385fd1c591bN"122⤵
- System Location Discovery: System Language Discovery
PID:4312
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-