Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-10-2024 04:23
Static task
static1
Behavioral task
behavioral1
Sample
e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe
Resource
win7-20240903-en
General
-
Target
e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe
-
Size
593KB
-
MD5
80fd97e449d74569e8017e962fad5ce1
-
SHA1
90c2161413fef7a734141b9d47425d2e81a5f487
-
SHA256
e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347
-
SHA512
f1192614c717d26cbb7ae6c55d327790e8876b74fe42f3ab9a4864a7ab329d4a398807af48c42f5edaf6d9c6001654bfc1b48eb17c051d566fb4066c7115ec1c
-
SSDEEP
12288:fzQ0CajEjoDgfYoZNbFRtMFiMyI0Pzc+KomeLkTe:M7n/gytFgw/PDWk
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation EYAMkQQM.exe -
Executes dropped EXE 3 IoCs
pid Process 1128 EYAMkQQM.exe 2888 DuogMosY.exe 2564 EGoIMAYM.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EYAMkQQM.exe = "C:\\Users\\Admin\\CAEMkAwI\\EYAMkQQM.exe" e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DuogMosY.exe = "C:\\ProgramData\\xyskcwkM\\DuogMosY.exe" e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EYAMkQQM.exe = "C:\\Users\\Admin\\CAEMkAwI\\EYAMkQQM.exe" EYAMkQQM.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DuogMosY.exe = "C:\\ProgramData\\xyskcwkM\\DuogMosY.exe" DuogMosY.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DuogMosY.exe = "C:\\ProgramData\\xyskcwkM\\DuogMosY.exe" EGoIMAYM.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\sheRepairPush.docx EYAMkQQM.exe File opened for modification C:\Windows\SysWOW64\sheSwitchSelect.pptm EYAMkQQM.exe File opened for modification C:\Windows\SysWOW64\sheUndoWrite.docx EYAMkQQM.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\CAEMkAwI EGoIMAYM.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\CAEMkAwI\EYAMkQQM EGoIMAYM.exe File created C:\Windows\SysWOW64\shell32.dll.exe EYAMkQQM.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry key 1 TTPs 64 IoCs
pid Process 4664 reg.exe 1608 reg.exe 3320 reg.exe 4952 reg.exe 2408 reg.exe 2956 reg.exe 1028 reg.exe 1420 reg.exe 4476 reg.exe 880 reg.exe 2408 reg.exe 4440 reg.exe 3028 reg.exe 1616 reg.exe 3140 reg.exe 512 reg.exe 3572 reg.exe 1636 reg.exe 796 reg.exe 2464 reg.exe 1980 reg.exe 3136 reg.exe 4300 reg.exe 4144 reg.exe 4300 reg.exe 4344 reg.exe 4056 reg.exe 4708 reg.exe 1352 reg.exe 544 reg.exe 2144 reg.exe 3332 reg.exe 2296 reg.exe 3548 reg.exe 4656 reg.exe 3748 reg.exe 2324 reg.exe 1848 reg.exe 5032 reg.exe 1816 reg.exe 2356 reg.exe 1616 reg.exe 2144 reg.exe 548 reg.exe 2976 reg.exe 1224 reg.exe 5076 reg.exe 372 reg.exe 4544 reg.exe 3136 reg.exe 3028 reg.exe 824 reg.exe 2820 reg.exe 2276 reg.exe 4368 reg.exe 392 reg.exe 3808 reg.exe 1096 reg.exe 2188 reg.exe 3208 reg.exe 4904 reg.exe 968 reg.exe 1492 reg.exe 2968 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2988 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 2988 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 2988 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 2988 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 4920 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 4920 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 4920 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 4920 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 2368 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 2368 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 2368 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 2368 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 876 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 876 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 876 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 876 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 4052 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 4052 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 4052 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 4052 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 3788 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 3788 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 3788 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 3788 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 1560 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 1560 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 1560 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 1560 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 1820 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 1820 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 1820 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 1820 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 2956 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 2956 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 2956 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 2956 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 3996 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 3996 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 3996 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 3996 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 1616 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 1616 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 1616 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 1616 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 3008 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 3008 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 3008 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 3008 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 2820 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 2820 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 2820 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 2820 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 4140 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 4140 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 4140 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 4140 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 1052 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 1052 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 1052 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 1052 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 4580 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 4580 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 4580 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 4580 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1128 EYAMkQQM.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1128 EYAMkQQM.exe 1128 EYAMkQQM.exe 1128 EYAMkQQM.exe 1128 EYAMkQQM.exe 1128 EYAMkQQM.exe 1128 EYAMkQQM.exe 1128 EYAMkQQM.exe 1128 EYAMkQQM.exe 1128 EYAMkQQM.exe 1128 EYAMkQQM.exe 1128 EYAMkQQM.exe 1128 EYAMkQQM.exe 1128 EYAMkQQM.exe 1128 EYAMkQQM.exe 1128 EYAMkQQM.exe 1128 EYAMkQQM.exe 1128 EYAMkQQM.exe 1128 EYAMkQQM.exe 1128 EYAMkQQM.exe 1128 EYAMkQQM.exe 1128 EYAMkQQM.exe 1128 EYAMkQQM.exe 1128 EYAMkQQM.exe 1128 EYAMkQQM.exe 1128 EYAMkQQM.exe 1128 EYAMkQQM.exe 1128 EYAMkQQM.exe 1128 EYAMkQQM.exe 1128 EYAMkQQM.exe 1128 EYAMkQQM.exe 1128 EYAMkQQM.exe 1128 EYAMkQQM.exe 1128 EYAMkQQM.exe 1128 EYAMkQQM.exe 1128 EYAMkQQM.exe 1128 EYAMkQQM.exe 1128 EYAMkQQM.exe 1128 EYAMkQQM.exe 1128 EYAMkQQM.exe 1128 EYAMkQQM.exe 1128 EYAMkQQM.exe 1128 EYAMkQQM.exe 1128 EYAMkQQM.exe 1128 EYAMkQQM.exe 1128 EYAMkQQM.exe 1128 EYAMkQQM.exe 1128 EYAMkQQM.exe 1128 EYAMkQQM.exe 1128 EYAMkQQM.exe 1128 EYAMkQQM.exe 1128 EYAMkQQM.exe 1128 EYAMkQQM.exe 1128 EYAMkQQM.exe 1128 EYAMkQQM.exe 1128 EYAMkQQM.exe 1128 EYAMkQQM.exe 1128 EYAMkQQM.exe 1128 EYAMkQQM.exe 1128 EYAMkQQM.exe 1128 EYAMkQQM.exe 1128 EYAMkQQM.exe 1128 EYAMkQQM.exe 1128 EYAMkQQM.exe 1128 EYAMkQQM.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2988 wrote to memory of 1128 2988 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 88 PID 2988 wrote to memory of 1128 2988 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 88 PID 2988 wrote to memory of 1128 2988 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 88 PID 2988 wrote to memory of 2888 2988 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 89 PID 2988 wrote to memory of 2888 2988 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 89 PID 2988 wrote to memory of 2888 2988 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 89 PID 2988 wrote to memory of 1428 2988 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 92 PID 2988 wrote to memory of 1428 2988 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 92 PID 2988 wrote to memory of 1428 2988 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 92 PID 1428 wrote to memory of 4920 1428 cmd.exe 94 PID 1428 wrote to memory of 4920 1428 cmd.exe 94 PID 1428 wrote to memory of 4920 1428 cmd.exe 94 PID 2988 wrote to memory of 2908 2988 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 95 PID 2988 wrote to memory of 2908 2988 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 95 PID 2988 wrote to memory of 2908 2988 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 95 PID 2988 wrote to memory of 2760 2988 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 96 PID 2988 wrote to memory of 2760 2988 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 96 PID 2988 wrote to memory of 2760 2988 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 96 PID 2988 wrote to memory of 824 2988 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 97 PID 2988 wrote to memory of 824 2988 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 97 PID 2988 wrote to memory of 824 2988 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 97 PID 4920 wrote to memory of 4544 4920 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 101 PID 4920 wrote to memory of 4544 4920 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 101 PID 4920 wrote to memory of 4544 4920 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 101 PID 4920 wrote to memory of 2144 4920 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 103 PID 4920 wrote to memory of 2144 4920 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 103 PID 4920 wrote to memory of 2144 4920 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 103 PID 4920 wrote to memory of 3428 4920 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 104 PID 4920 wrote to memory of 3428 4920 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 104 PID 4920 wrote to memory of 3428 4920 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 104 PID 4920 wrote to memory of 2976 4920 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 105 PID 4920 wrote to memory of 2976 4920 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 105 PID 4920 wrote to memory of 2976 4920 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 105 PID 4920 wrote to memory of 1016 4920 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 106 PID 4920 wrote to memory of 1016 4920 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 106 PID 4920 wrote to memory of 1016 4920 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 106 PID 4544 wrote to memory of 2368 4544 cmd.exe 111 PID 4544 wrote to memory of 2368 4544 cmd.exe 111 PID 4544 wrote to memory of 2368 4544 cmd.exe 111 PID 1016 wrote to memory of 3772 1016 cmd.exe 112 PID 1016 wrote to memory of 3772 1016 cmd.exe 112 PID 1016 wrote to memory of 3772 1016 cmd.exe 112 PID 2368 wrote to memory of 2824 2368 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 113 PID 2368 wrote to memory of 2824 2368 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 113 PID 2368 wrote to memory of 2824 2368 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 113 PID 2824 wrote to memory of 876 2824 cmd.exe 115 PID 2824 wrote to memory of 876 2824 cmd.exe 115 PID 2824 wrote to memory of 876 2824 cmd.exe 115 PID 2368 wrote to memory of 3740 2368 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 116 PID 2368 wrote to memory of 3740 2368 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 116 PID 2368 wrote to memory of 3740 2368 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 116 PID 2368 wrote to memory of 636 2368 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 117 PID 2368 wrote to memory of 636 2368 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 117 PID 2368 wrote to memory of 636 2368 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 117 PID 2368 wrote to memory of 4300 2368 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 118 PID 2368 wrote to memory of 4300 2368 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 118 PID 2368 wrote to memory of 4300 2368 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 118 PID 2368 wrote to memory of 548 2368 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 119 PID 2368 wrote to memory of 548 2368 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 119 PID 2368 wrote to memory of 548 2368 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 119 PID 548 wrote to memory of 1704 548 cmd.exe 124 PID 548 wrote to memory of 1704 548 cmd.exe 124 PID 548 wrote to memory of 1704 548 cmd.exe 124 PID 876 wrote to memory of 4456 876 e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe 125
Processes
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe"C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe"C:\Users\Admin\CAEMkAwI\EYAMkQQM.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:1128
-
-
C:\ProgramData\xyskcwkM\DuogMosY.exe"C:\ProgramData\xyskcwkM\DuogMosY.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2888
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"2⤵
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b3473⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"4⤵
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b3475⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"6⤵
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b3477⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"8⤵PID:4456
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b3479⤵
- Suspicious behavior: EnumeratesProcesses
PID:4052 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"10⤵PID:2032
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34711⤵
- Suspicious behavior: EnumeratesProcesses
PID:3788 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"12⤵
- System Location Discovery: System Language Discovery
PID:1004 -
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34713⤵
- Suspicious behavior: EnumeratesProcesses
PID:1560 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"14⤵
- System Location Discovery: System Language Discovery
PID:3156 -
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34715⤵
- Suspicious behavior: EnumeratesProcesses
PID:1820 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"16⤵PID:1016
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34717⤵
- Suspicious behavior: EnumeratesProcesses
PID:2956 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"18⤵PID:2800
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34719⤵
- Suspicious behavior: EnumeratesProcesses
PID:3996 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"20⤵PID:2948
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34721⤵
- Suspicious behavior: EnumeratesProcesses
PID:1616 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"22⤵PID:2404
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34723⤵
- Suspicious behavior: EnumeratesProcesses
PID:3008 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"24⤵PID:3428
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34725⤵
- Suspicious behavior: EnumeratesProcesses
PID:2820 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"26⤵
- System Location Discovery: System Language Discovery
PID:1300 -
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34727⤵
- Suspicious behavior: EnumeratesProcesses
PID:4140 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"28⤵PID:2916
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34729⤵
- Suspicious behavior: EnumeratesProcesses
PID:1052 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"30⤵
- System Location Discovery: System Language Discovery
PID:1600 -
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34731⤵
- Suspicious behavior: EnumeratesProcesses
PID:4580 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"32⤵PID:1704
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34733⤵PID:2204
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"34⤵PID:3088
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34735⤵PID:2036
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"36⤵PID:2936
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34737⤵PID:2924
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"38⤵PID:1048
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34739⤵PID:2708
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"40⤵PID:4848
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34741⤵PID:4188
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"42⤵PID:3996
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34743⤵PID:1980
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"44⤵PID:1168
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34745⤵PID:2692
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"46⤵PID:2756
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34747⤵PID:2616
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"48⤵
- System Location Discovery: System Language Discovery
PID:4476 -
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34749⤵PID:2872
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"50⤵PID:2620
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34751⤵PID:4268
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"52⤵PID:3508
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV153⤵PID:1420
-
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34753⤵PID:1620
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"54⤵PID:1328
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34755⤵PID:4064
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"56⤵PID:4848
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34757⤵PID:4392
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"58⤵PID:3832
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34759⤵PID:1016
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"60⤵PID:3844
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34761⤵PID:3308
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"62⤵PID:2728
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34763⤵PID:2540
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"64⤵PID:2324
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34765⤵PID:1920
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"66⤵PID:1828
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34767⤵PID:2620
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"68⤵PID:3308
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34769⤵PID:3748
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"70⤵PID:4032
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV171⤵PID:4836
-
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34771⤵PID:3140
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"72⤵PID:4212
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34773⤵PID:956
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"74⤵
- System Location Discovery: System Language Discovery
PID:1428 -
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34775⤵PID:880
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"76⤵PID:512
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV177⤵PID:828
-
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34777⤵
- System Location Discovery: System Language Discovery
PID:4408 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"78⤵PID:2036
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV179⤵PID:1632
-
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34779⤵PID:2800
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"80⤵PID:1440
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV181⤵PID:3028
-
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34781⤵PID:4188
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"82⤵PID:1452
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34783⤵PID:1980
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"84⤵PID:2464
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34785⤵PID:2924
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"86⤵
- System Location Discovery: System Language Discovery
PID:3756 -
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34787⤵PID:2524
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"88⤵PID:1440
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34789⤵PID:2584
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"90⤵PID:2756
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34791⤵PID:3484
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"92⤵PID:2464
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34793⤵PID:880
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"94⤵PID:1088
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV195⤵PID:1176
-
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34795⤵PID:1272
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"96⤵PID:3932
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34797⤵PID:4844
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"98⤵PID:2356
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b34799⤵PID:3548
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"100⤵PID:1096
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347101⤵
- System Location Discovery: System Language Discovery
PID:3276 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"102⤵
- System Location Discovery: System Language Discovery
PID:3708 -
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347103⤵PID:3332
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"104⤵
- System Location Discovery: System Language Discovery
PID:3540 -
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347105⤵PID:3044
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"106⤵PID:3548
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347107⤵PID:2356
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"108⤵PID:544
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347109⤵PID:1788
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"110⤵PID:4392
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347111⤵PID:1436
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"112⤵PID:4048
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347113⤵PID:2352
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"114⤵
- System Location Discovery: System Language Discovery
PID:3892 -
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347115⤵PID:784
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"116⤵PID:2800
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347117⤵PID:1004
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"118⤵PID:4544
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347119⤵PID:1656
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"120⤵PID:1076
-
C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347.exeC:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347121⤵PID:4144
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e9f909e7059ec7e3d7f0f49fbd9fc9ba687ff3d1fc5a6cf0cfaf30a19c80b347"122⤵PID:880
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-