Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-10-2024 04:27
Static task
static1
Behavioral task
behavioral1
Sample
e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe
Resource
win7-20240903-en
General
-
Target
e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe
-
Size
593KB
-
MD5
80fd97e449d74569e8017e962fad5ce1
-
SHA1
90c2161413fef7a734141b9d47425d2e81a5f487
-
SHA256
e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347
-
SHA512
f1192614c717d26cbb7ae6c55d327790e8876b74fe42f3ab9a4864a7ab329d4a398807af48c42f5edaf6d9c6001654bfc1b48eb17c051d566fb4066c7115ec1c
-
SSDEEP
12288:fzQ0CajEjoDgfYoZNbFRtMFiMyI0Pzc+KomeLkTe:M7n/gytFgw/PDWk
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation swsAMQAE.exe -
Executes dropped EXE 3 IoCs
pid Process 3660 cuMEQIIs.exe 3008 swsAMQAE.exe 3052 JOAUIAEI.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\swsAMQAE.exe = "C:\\ProgramData\\GSssAoAs\\swsAMQAE.exe" swsAMQAE.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cuMEQIIs.exe = "C:\\Users\\Admin\\HqMgQUAk\\cuMEQIIs.exe" cuMEQIIs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\swsAMQAE.exe = "C:\\ProgramData\\GSssAoAs\\swsAMQAE.exe" JOAUIAEI.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cuMEQIIs.exe = "C:\\Users\\Admin\\HqMgQUAk\\cuMEQIIs.exe" e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\swsAMQAE.exe = "C:\\ProgramData\\GSssAoAs\\swsAMQAE.exe" e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\HqMgQUAk JOAUIAEI.exe File opened for modification C:\Windows\SysWOW64\sheSendMerge.xlsx swsAMQAE.exe File opened for modification C:\Windows\SysWOW64\sheWaitSave.docx swsAMQAE.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\HqMgQUAk\cuMEQIIs JOAUIAEI.exe File created C:\Windows\SysWOW64\shell32.dll.exe swsAMQAE.exe File opened for modification C:\Windows\SysWOW64\sheLockRedo.xlsx swsAMQAE.exe File opened for modification C:\Windows\SysWOW64\sheNewInvoke.mp3 swsAMQAE.exe File opened for modification C:\Windows\SysWOW64\sheRemoveUndo.xlsx swsAMQAE.exe File opened for modification C:\Windows\SysWOW64\sheUnblockUnprotect.mpg swsAMQAE.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 64 IoCs
pid Process 3704 reg.exe 4632 reg.exe 1920 reg.exe 1768 reg.exe 2664 reg.exe 3260 reg.exe 4036 reg.exe 928 reg.exe 1444 reg.exe 1180 reg.exe 1660 reg.exe 3068 reg.exe 4988 reg.exe 3356 reg.exe 3868 reg.exe 4988 reg.exe 1624 reg.exe 4244 reg.exe 5028 reg.exe 1444 reg.exe 4816 reg.exe 884 reg.exe 368 reg.exe 3244 reg.exe 4432 reg.exe 2072 reg.exe 4584 reg.exe 2288 reg.exe 4184 reg.exe 2116 reg.exe 1500 reg.exe 1972 reg.exe 4316 reg.exe 4596 reg.exe 3252 reg.exe 2732 reg.exe 424 reg.exe 3944 reg.exe 3920 reg.exe 3612 reg.exe 1556 reg.exe 2724 reg.exe 2020 reg.exe 2128 reg.exe 2128 reg.exe 4348 reg.exe 2744 reg.exe 5116 reg.exe 5032 reg.exe 4680 reg.exe 1796 reg.exe 2116 reg.exe 4764 reg.exe 4436 reg.exe 4696 reg.exe 1704 reg.exe 1608 reg.exe 1536 reg.exe 1600 reg.exe 3948 reg.exe 3740 reg.exe 764 reg.exe 552 reg.exe 4816 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 836 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 836 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 836 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 836 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 2712 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 2712 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 2712 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 2712 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 3948 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 3948 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 3948 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 3948 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 1376 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 1376 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 1376 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 1376 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 448 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 448 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 448 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 448 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 2300 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 2300 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 2300 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 2300 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 4768 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 4768 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 4768 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 4768 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 1312 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 1312 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 1312 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 1312 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 1904 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 1904 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 1904 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 1904 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 4572 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 4572 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 4572 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 4572 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 4600 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 4600 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 4600 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 4600 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 4036 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 4036 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 4036 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 4036 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 1056 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 1056 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 1056 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 1056 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 3372 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 3372 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 3372 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 3372 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 1500 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 1500 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 1500 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 1500 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 3920 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 3920 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 3920 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 3920 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3008 swsAMQAE.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3008 swsAMQAE.exe 3008 swsAMQAE.exe 3008 swsAMQAE.exe 3008 swsAMQAE.exe 3008 swsAMQAE.exe 3008 swsAMQAE.exe 3008 swsAMQAE.exe 3008 swsAMQAE.exe 3008 swsAMQAE.exe 3008 swsAMQAE.exe 3008 swsAMQAE.exe 3008 swsAMQAE.exe 3008 swsAMQAE.exe 3008 swsAMQAE.exe 3008 swsAMQAE.exe 3008 swsAMQAE.exe 3008 swsAMQAE.exe 3008 swsAMQAE.exe 3008 swsAMQAE.exe 3008 swsAMQAE.exe 3008 swsAMQAE.exe 3008 swsAMQAE.exe 3008 swsAMQAE.exe 3008 swsAMQAE.exe 3008 swsAMQAE.exe 3008 swsAMQAE.exe 3008 swsAMQAE.exe 3008 swsAMQAE.exe 3008 swsAMQAE.exe 3008 swsAMQAE.exe 3008 swsAMQAE.exe 3008 swsAMQAE.exe 3008 swsAMQAE.exe 3008 swsAMQAE.exe 3008 swsAMQAE.exe 3008 swsAMQAE.exe 3008 swsAMQAE.exe 3008 swsAMQAE.exe 3008 swsAMQAE.exe 3008 swsAMQAE.exe 3008 swsAMQAE.exe 3008 swsAMQAE.exe 3008 swsAMQAE.exe 3008 swsAMQAE.exe 3008 swsAMQAE.exe 3008 swsAMQAE.exe 3008 swsAMQAE.exe 3008 swsAMQAE.exe 3008 swsAMQAE.exe 3008 swsAMQAE.exe 3008 swsAMQAE.exe 3008 swsAMQAE.exe 3008 swsAMQAE.exe 3008 swsAMQAE.exe 3008 swsAMQAE.exe 3008 swsAMQAE.exe 3008 swsAMQAE.exe 3008 swsAMQAE.exe 3008 swsAMQAE.exe 3008 swsAMQAE.exe 3008 swsAMQAE.exe 3008 swsAMQAE.exe 3008 swsAMQAE.exe 3008 swsAMQAE.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 836 wrote to memory of 3660 836 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 86 PID 836 wrote to memory of 3660 836 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 86 PID 836 wrote to memory of 3660 836 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 86 PID 836 wrote to memory of 3008 836 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 87 PID 836 wrote to memory of 3008 836 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 87 PID 836 wrote to memory of 3008 836 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 87 PID 836 wrote to memory of 1660 836 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 90 PID 836 wrote to memory of 1660 836 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 90 PID 836 wrote to memory of 1660 836 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 90 PID 1660 wrote to memory of 2712 1660 cmd.exe 92 PID 1660 wrote to memory of 2712 1660 cmd.exe 92 PID 1660 wrote to memory of 2712 1660 cmd.exe 92 PID 836 wrote to memory of 2116 836 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 93 PID 836 wrote to memory of 2116 836 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 93 PID 836 wrote to memory of 2116 836 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 93 PID 836 wrote to memory of 4988 836 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 94 PID 836 wrote to memory of 4988 836 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 94 PID 836 wrote to memory of 4988 836 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 94 PID 836 wrote to memory of 4080 836 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 95 PID 836 wrote to memory of 4080 836 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 95 PID 836 wrote to memory of 4080 836 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 95 PID 2712 wrote to memory of 1496 2712 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 99 PID 2712 wrote to memory of 1496 2712 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 99 PID 2712 wrote to memory of 1496 2712 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 99 PID 2712 wrote to memory of 1340 2712 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 101 PID 2712 wrote to memory of 1340 2712 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 101 PID 2712 wrote to memory of 1340 2712 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 101 PID 2712 wrote to memory of 4680 2712 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 102 PID 2712 wrote to memory of 4680 2712 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 102 PID 2712 wrote to memory of 4680 2712 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 102 PID 2712 wrote to memory of 1768 2712 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 103 PID 2712 wrote to memory of 1768 2712 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 103 PID 2712 wrote to memory of 1768 2712 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 103 PID 2712 wrote to memory of 3332 2712 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 104 PID 2712 wrote to memory of 3332 2712 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 104 PID 2712 wrote to memory of 3332 2712 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 104 PID 3332 wrote to memory of 1080 3332 cmd.exe 109 PID 3332 wrote to memory of 1080 3332 cmd.exe 109 PID 3332 wrote to memory of 1080 3332 cmd.exe 109 PID 1496 wrote to memory of 3948 1496 cmd.exe 110 PID 1496 wrote to memory of 3948 1496 cmd.exe 110 PID 1496 wrote to memory of 3948 1496 cmd.exe 110 PID 3948 wrote to memory of 2472 3948 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 112 PID 3948 wrote to memory of 2472 3948 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 112 PID 3948 wrote to memory of 2472 3948 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 112 PID 3948 wrote to memory of 2588 3948 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 114 PID 3948 wrote to memory of 2588 3948 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 114 PID 3948 wrote to memory of 2588 3948 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 114 PID 3948 wrote to memory of 2564 3948 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 115 PID 3948 wrote to memory of 2564 3948 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 115 PID 3948 wrote to memory of 2564 3948 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 115 PID 3948 wrote to memory of 2324 3948 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 116 PID 3948 wrote to memory of 2324 3948 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 116 PID 3948 wrote to memory of 2324 3948 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 116 PID 3948 wrote to memory of 2428 3948 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 117 PID 3948 wrote to memory of 2428 3948 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 117 PID 3948 wrote to memory of 2428 3948 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 117 PID 2428 wrote to memory of 2692 2428 cmd.exe 122 PID 2428 wrote to memory of 2692 2428 cmd.exe 122 PID 2428 wrote to memory of 2692 2428 cmd.exe 122 PID 2472 wrote to memory of 1376 2472 cmd.exe 123 PID 2472 wrote to memory of 1376 2472 cmd.exe 123 PID 2472 wrote to memory of 1376 2472 cmd.exe 123 PID 1376 wrote to memory of 1896 1376 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 124
Processes
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe"C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Users\Admin\HqMgQUAk\cuMEQIIs.exe"C:\Users\Admin\HqMgQUAk\cuMEQIIs.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3660
-
-
C:\ProgramData\GSssAoAs\swsAMQAE.exe"C:\ProgramData\GSssAoAs\swsAMQAE.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:3008
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"2⤵
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b3473⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"4⤵
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b3475⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"6⤵
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b3477⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"8⤵PID:1896
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b3479⤵
- Suspicious behavior: EnumeratesProcesses
PID:448 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"10⤵PID:2008
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34711⤵
- Suspicious behavior: EnumeratesProcesses
PID:2300 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"12⤵PID:3944
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34713⤵
- Suspicious behavior: EnumeratesProcesses
PID:4768 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"14⤵PID:4420
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34715⤵
- Suspicious behavior: EnumeratesProcesses
PID:1312 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"16⤵PID:764
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34717⤵
- Suspicious behavior: EnumeratesProcesses
PID:1904 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"18⤵PID:1948
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34719⤵
- Suspicious behavior: EnumeratesProcesses
PID:4572 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"20⤵PID:1680
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34721⤵
- Suspicious behavior: EnumeratesProcesses
PID:4600 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"22⤵PID:1824
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34723⤵
- Suspicious behavior: EnumeratesProcesses
PID:4036 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"24⤵PID:452
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34725⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1056 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"26⤵PID:1404
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34727⤵
- Suspicious behavior: EnumeratesProcesses
PID:3372 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"28⤵PID:2132
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34729⤵
- Suspicious behavior: EnumeratesProcesses
PID:1500 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"30⤵PID:2980
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34731⤵
- Suspicious behavior: EnumeratesProcesses
PID:3920 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"32⤵PID:5104
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34733⤵PID:1416
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"34⤵PID:5116
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34735⤵PID:3208
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"36⤵PID:4600
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34737⤵PID:828
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"38⤵PID:2732
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34739⤵PID:856
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"40⤵PID:5048
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34741⤵PID:3812
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"42⤵PID:4576
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34743⤵PID:1504
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"44⤵PID:2304
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34745⤵PID:2896
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"46⤵
- System Location Discovery: System Language Discovery
PID:3768 -
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34747⤵PID:1824
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"48⤵PID:3140
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34749⤵PID:4696
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"50⤵PID:4244
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34751⤵PID:2712
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"52⤵PID:3332
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV153⤵PID:2776
-
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34753⤵
- System Location Discovery: System Language Discovery
PID:3376 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"54⤵PID:636
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34755⤵PID:4232
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"56⤵PID:1148
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV157⤵PID:3108
-
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34757⤵
- System Location Discovery: System Language Discovery
PID:3484 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"58⤵PID:3356
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34759⤵PID:1800
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"60⤵PID:3976
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34761⤵PID:4812
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"62⤵PID:3948
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34763⤵PID:2692
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"64⤵PID:1896
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV165⤵PID:2996
-
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34765⤵PID:2964
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"66⤵
- System Location Discovery: System Language Discovery
PID:452 -
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34767⤵PID:5116
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"68⤵PID:3128
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34769⤵PID:692
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"70⤵PID:620
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34771⤵
- System Location Discovery: System Language Discovery
PID:3740 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"72⤵PID:3484
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34773⤵PID:3376
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"74⤵PID:1972
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV175⤵PID:3332
-
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34775⤵PID:4376
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"76⤵PID:1968
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV177⤵PID:3128
-
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34777⤵PID:2744
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"78⤵PID:2984
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34779⤵PID:2608
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"80⤵PID:1836
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34781⤵PID:4624
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"82⤵PID:3948
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34783⤵PID:3768
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"84⤵PID:2724
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34785⤵PID:620
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"86⤵PID:2264
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34787⤵PID:4948
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"88⤵PID:4812
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34789⤵PID:4696
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"90⤵PID:4376
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34791⤵PID:2036
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"92⤵PID:2816
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34793⤵PID:1920
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"94⤵PID:5104
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV195⤵PID:628
-
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34795⤵PID:836
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"96⤵
- System Location Discovery: System Language Discovery
PID:2260 -
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34797⤵
- System Location Discovery: System Language Discovery
PID:1836 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"98⤵PID:432
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34799⤵PID:3160
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"100⤵
- System Location Discovery: System Language Discovery
PID:964 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1101⤵PID:620
-
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347101⤵PID:4624
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"102⤵
- System Location Discovery: System Language Discovery
PID:2320 -
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347103⤵PID:5072
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"104⤵PID:3808
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347105⤵PID:764
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"106⤵PID:3372
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347107⤵PID:4056
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"108⤵PID:4520
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347109⤵PID:4368
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"110⤵PID:2324
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347111⤵PID:3984
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"112⤵PID:2732
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1113⤵PID:2036
-
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347113⤵PID:1080
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"114⤵PID:1972
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347115⤵PID:1416
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"116⤵PID:3532
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1117⤵PID:4088
-
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347117⤵
- System Location Discovery: System Language Discovery
PID:5032 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"118⤵PID:4420
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347119⤵PID:1968
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"120⤵
- System Location Discovery: System Language Discovery
PID:3516 -
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347121⤵PID:4552
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"122⤵PID:4920
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-