Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26-10-2024 04:27
Static task
static1
Behavioral task
behavioral1
Sample
e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe
Resource
win7-20240903-en
General
-
Target
e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe
-
Size
593KB
-
MD5
80fd97e449d74569e8017e962fad5ce1
-
SHA1
90c2161413fef7a734141b9d47425d2e81a5f487
-
SHA256
e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347
-
SHA512
f1192614c717d26cbb7ae6c55d327790e8876b74fe42f3ab9a4864a7ab329d4a398807af48c42f5edaf6d9c6001654bfc1b48eb17c051d566fb4066c7115ec1c
-
SSDEEP
12288:fzQ0CajEjoDgfYoZNbFRtMFiMyI0Pzc+KomeLkTe:M7n/gytFgw/PDWk
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 63 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Renames multiple (65) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\International\Geo\Nation wiEYskco.exe -
Deletes itself 1 IoCs
pid Process 1696 cmd.exe -
Executes dropped EXE 3 IoCs
pid Process 2480 okcIAUIM.exe 2340 wiEYskco.exe 2108 VaEAQQEc.exe -
Loads dropped DLL 22 IoCs
pid Process 2324 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 2324 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 2324 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 2324 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 7 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\okcIAUIM.exe = "C:\\Users\\Admin\\nGkEQsEk\\okcIAUIM.exe" e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wiEYskco.exe = "C:\\ProgramData\\zsIQAEUk\\wiEYskco.exe" e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wiEYskco.exe = "C:\\ProgramData\\zsIQAEUk\\wiEYskco.exe" wiEYskco.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\okcIAUIM.exe = "C:\\Users\\Admin\\nGkEQsEk\\okcIAUIM.exe" okcIAUIM.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wiEYskco.exe = "C:\\ProgramData\\zsIQAEUk\\wiEYskco.exe" VaEAQQEc.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\qosUMoMY.exe = "C:\\Users\\Admin\\eAMMcEkw\\qosUMoMY.exe" e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mYkwIYks.exe = "C:\\ProgramData\\qmEossog\\mYkwIYks.exe" e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\nGkEQsEk VaEAQQEc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\nGkEQsEk\okcIAUIM VaEAQQEc.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico wiEYskco.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
pid pid_target Process procid_target 1396 2912 WerFault.exe 478 1464 2736 WerFault.exe 480 880 2692 WerFault.exe 482 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language okcIAUIM.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 64 IoCs
pid Process 2100 reg.exe 1656 reg.exe 2488 reg.exe 1832 reg.exe 2924 reg.exe 812 reg.exe 1136 reg.exe 2748 reg.exe 568 reg.exe 2616 reg.exe 2640 reg.exe 3044 reg.exe 1704 reg.exe 2928 reg.exe 408 reg.exe 1396 reg.exe 1336 reg.exe 3024 reg.exe 2732 reg.exe 1492 reg.exe 2044 reg.exe 1668 reg.exe 2084 reg.exe 2896 reg.exe 1412 reg.exe 528 reg.exe 1656 reg.exe 2608 reg.exe 1580 reg.exe 2972 reg.exe 1696 reg.exe 2524 reg.exe 2192 reg.exe 2520 reg.exe 2488 reg.exe 1536 reg.exe 2396 reg.exe 940 reg.exe 328 reg.exe 2852 reg.exe 2496 reg.exe 2616 reg.exe 624 reg.exe 1316 reg.exe 2544 reg.exe 1676 reg.exe 1828 reg.exe 2084 reg.exe 2524 reg.exe 892 reg.exe 2476 reg.exe 1944 reg.exe 2316 reg.exe 2900 reg.exe 1192 reg.exe 2000 reg.exe 2104 reg.exe 2196 reg.exe 1092 reg.exe 1652 reg.exe 1864 reg.exe 2788 reg.exe 2572 reg.exe 2804 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2324 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 2324 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 2564 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 2564 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 2636 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 2636 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 588 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 588 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 2520 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 2520 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 1000 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 1000 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 528 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 528 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 2868 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 2868 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 2388 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 2388 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 1756 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 1756 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 1412 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 1412 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 3000 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 3000 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 2676 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 2676 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 848 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 848 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 2052 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 2052 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 1464 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 1464 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 1412 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 1412 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 2844 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 2844 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 1892 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 1892 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 2132 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 2132 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 2892 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 2892 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 2492 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 2492 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 2236 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 2236 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 2940 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 2940 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 2388 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 2388 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 580 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 580 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 1196 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 1196 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 2824 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 2824 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 2220 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 2220 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 2328 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 2328 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 1312 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 1312 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 2808 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 2808 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2340 wiEYskco.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe 2340 wiEYskco.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2324 wrote to memory of 2480 2324 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 31 PID 2324 wrote to memory of 2480 2324 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 31 PID 2324 wrote to memory of 2480 2324 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 31 PID 2324 wrote to memory of 2480 2324 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 31 PID 2324 wrote to memory of 2340 2324 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 32 PID 2324 wrote to memory of 2340 2324 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 32 PID 2324 wrote to memory of 2340 2324 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 32 PID 2324 wrote to memory of 2340 2324 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 32 PID 2324 wrote to memory of 2684 2324 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 34 PID 2324 wrote to memory of 2684 2324 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 34 PID 2324 wrote to memory of 2684 2324 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 34 PID 2324 wrote to memory of 2684 2324 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 34 PID 2684 wrote to memory of 2564 2684 cmd.exe 36 PID 2684 wrote to memory of 2564 2684 cmd.exe 36 PID 2684 wrote to memory of 2564 2684 cmd.exe 36 PID 2684 wrote to memory of 2564 2684 cmd.exe 36 PID 2324 wrote to memory of 2772 2324 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 37 PID 2324 wrote to memory of 2772 2324 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 37 PID 2324 wrote to memory of 2772 2324 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 37 PID 2324 wrote to memory of 2772 2324 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 37 PID 2324 wrote to memory of 2676 2324 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 38 PID 2324 wrote to memory of 2676 2324 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 38 PID 2324 wrote to memory of 2676 2324 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 38 PID 2324 wrote to memory of 2676 2324 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 38 PID 2324 wrote to memory of 2252 2324 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 40 PID 2324 wrote to memory of 2252 2324 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 40 PID 2324 wrote to memory of 2252 2324 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 40 PID 2324 wrote to memory of 2252 2324 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 40 PID 2564 wrote to memory of 2576 2564 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 43 PID 2564 wrote to memory of 2576 2564 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 43 PID 2564 wrote to memory of 2576 2564 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 43 PID 2564 wrote to memory of 2576 2564 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 43 PID 2576 wrote to memory of 2636 2576 cmd.exe 45 PID 2576 wrote to memory of 2636 2576 cmd.exe 45 PID 2576 wrote to memory of 2636 2576 cmd.exe 45 PID 2576 wrote to memory of 2636 2576 cmd.exe 45 PID 2564 wrote to memory of 3044 2564 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 46 PID 2564 wrote to memory of 3044 2564 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 46 PID 2564 wrote to memory of 3044 2564 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 46 PID 2564 wrote to memory of 3044 2564 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 46 PID 2564 wrote to memory of 1688 2564 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 47 PID 2564 wrote to memory of 1688 2564 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 47 PID 2564 wrote to memory of 1688 2564 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 47 PID 2564 wrote to memory of 1688 2564 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 47 PID 2564 wrote to memory of 3048 2564 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 48 PID 2564 wrote to memory of 3048 2564 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 48 PID 2564 wrote to memory of 3048 2564 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 48 PID 2564 wrote to memory of 3048 2564 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 48 PID 2564 wrote to memory of 2864 2564 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 51 PID 2564 wrote to memory of 2864 2564 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 51 PID 2564 wrote to memory of 2864 2564 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 51 PID 2564 wrote to memory of 2864 2564 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 51 PID 2864 wrote to memory of 1220 2864 cmd.exe 54 PID 2864 wrote to memory of 1220 2864 cmd.exe 54 PID 2864 wrote to memory of 1220 2864 cmd.exe 54 PID 2864 wrote to memory of 1220 2864 cmd.exe 54 PID 2636 wrote to memory of 2852 2636 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 55 PID 2636 wrote to memory of 2852 2636 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 55 PID 2636 wrote to memory of 2852 2636 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 55 PID 2636 wrote to memory of 2852 2636 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 55 PID 2852 wrote to memory of 588 2852 cmd.exe 57 PID 2852 wrote to memory of 588 2852 cmd.exe 57 PID 2852 wrote to memory of 588 2852 cmd.exe 57 PID 2852 wrote to memory of 588 2852 cmd.exe 57
Processes
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe"C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Users\Admin\nGkEQsEk\okcIAUIM.exe"C:\Users\Admin\nGkEQsEk\okcIAUIM.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2480
-
-
C:\ProgramData\zsIQAEUk\wiEYskco.exe"C:\ProgramData\zsIQAEUk\wiEYskco.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:2340
-
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"2⤵
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b3473⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"4⤵
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b3475⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"6⤵
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b3477⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:588 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"8⤵PID:1064
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b3479⤵
- Suspicious behavior: EnumeratesProcesses
PID:2520 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"10⤵PID:1884
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34711⤵
- Suspicious behavior: EnumeratesProcesses
PID:1000 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"12⤵
- System Location Discovery: System Language Discovery
PID:2496 -
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34713⤵
- Suspicious behavior: EnumeratesProcesses
PID:528 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"14⤵PID:2832
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34715⤵
- Suspicious behavior: EnumeratesProcesses
PID:2868 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"16⤵PID:1220
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34717⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2388 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"18⤵PID:2000
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34719⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1756 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"20⤵PID:1876
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34721⤵
- Suspicious behavior: EnumeratesProcesses
PID:1412 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"22⤵PID:1652
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34723⤵
- Suspicious behavior: EnumeratesProcesses
PID:3000 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"24⤵
- System Location Discovery: System Language Discovery
PID:2640 -
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34725⤵
- Suspicious behavior: EnumeratesProcesses
PID:2676 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"26⤵
- System Location Discovery: System Language Discovery
PID:1628 -
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34727⤵
- Suspicious behavior: EnumeratesProcesses
PID:848 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"28⤵PID:2804
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34729⤵
- Suspicious behavior: EnumeratesProcesses
PID:2052 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"30⤵PID:2948
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34731⤵
- Suspicious behavior: EnumeratesProcesses
PID:1464 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"32⤵PID:1680
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34733⤵
- Suspicious behavior: EnumeratesProcesses
PID:1412 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"34⤵
- System Location Discovery: System Language Discovery
PID:1156 -
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34735⤵
- Suspicious behavior: EnumeratesProcesses
PID:2844 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"36⤵
- System Location Discovery: System Language Discovery
PID:536 -
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34737⤵
- Suspicious behavior: EnumeratesProcesses
PID:1892 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"38⤵PID:2832
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34739⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2132 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"40⤵
- System Location Discovery: System Language Discovery
PID:1208 -
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34741⤵
- Suspicious behavior: EnumeratesProcesses
PID:2892 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"42⤵PID:1064
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34743⤵
- Suspicious behavior: EnumeratesProcesses
PID:2492 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"44⤵PID:2484
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34745⤵
- Suspicious behavior: EnumeratesProcesses
PID:2236 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"46⤵PID:2076
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34747⤵
- Suspicious behavior: EnumeratesProcesses
PID:2940 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"48⤵PID:1968
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34749⤵
- Suspicious behavior: EnumeratesProcesses
PID:2388 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"50⤵PID:1668
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34751⤵
- Suspicious behavior: EnumeratesProcesses
PID:580 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"52⤵
- System Location Discovery: System Language Discovery
PID:2576 -
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34753⤵
- Suspicious behavior: EnumeratesProcesses
PID:1196 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"54⤵PID:2368
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34755⤵
- Suspicious behavior: EnumeratesProcesses
PID:2824 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"56⤵PID:2676
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34757⤵
- Suspicious behavior: EnumeratesProcesses
PID:2220 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"58⤵PID:2496
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34759⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2328 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"60⤵
- System Location Discovery: System Language Discovery
PID:2228 -
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34761⤵
- Suspicious behavior: EnumeratesProcesses
PID:1312 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"62⤵PID:2672
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34763⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2808 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"64⤵PID:860
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34765⤵PID:408
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"66⤵PID:344
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34767⤵PID:1076
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"68⤵PID:2128
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34769⤵
- System Location Discovery: System Language Discovery
PID:1628 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"70⤵
- System Location Discovery: System Language Discovery
PID:2388 -
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34771⤵PID:880
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"72⤵PID:2844
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34773⤵PID:1456
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"74⤵PID:1340
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34775⤵
- Adds Run key to start application
PID:2472 -
C:\Users\Admin\eAMMcEkw\qosUMoMY.exe"C:\Users\Admin\eAMMcEkw\qosUMoMY.exe"76⤵PID:2912
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 12077⤵
- Program crash
PID:1396
-
-
-
C:\ProgramData\qmEossog\mYkwIYks.exe"C:\ProgramData\qmEossog\mYkwIYks.exe"76⤵PID:2736
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 9277⤵
- Program crash
PID:1464
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"76⤵PID:1136
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34777⤵PID:2024
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"78⤵PID:2044
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34779⤵
- System Location Discovery: System Language Discovery
PID:1192 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"80⤵PID:2848
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34781⤵PID:2096
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"82⤵PID:2964
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34783⤵PID:2336
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"84⤵PID:2180
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34785⤵PID:588
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"86⤵PID:3044
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34787⤵PID:1088
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"88⤵
- System Location Discovery: System Language Discovery
PID:1312 -
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34789⤵PID:880
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"90⤵PID:2792
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34791⤵PID:2820
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"92⤵PID:468
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34793⤵PID:1696
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"94⤵PID:2644
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34795⤵PID:988
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"96⤵PID:2076
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34797⤵PID:1884
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"98⤵PID:1592
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34799⤵PID:2264
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"100⤵PID:1864
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347101⤵PID:1192
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"102⤵PID:1208
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347103⤵PID:2820
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"104⤵
- System Location Discovery: System Language Discovery
PID:1648 -
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347105⤵PID:560
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"106⤵PID:1000
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347107⤵PID:588
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"108⤵PID:2608
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347109⤵PID:1088
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"110⤵PID:2428
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347111⤵PID:320
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"112⤵PID:2316
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347113⤵PID:1984
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"114⤵PID:2036
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347115⤵PID:1896
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"116⤵PID:1084
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347117⤵PID:2276
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"118⤵PID:1576
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347119⤵PID:2336
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"120⤵PID:2560
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347121⤵PID:2936
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"122⤵PID:448
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-