Analysis
-
max time kernel
3s -
max time network
113s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31/10/2024, 20:25
Static task
static1
Behavioral task
behavioral1
Sample
0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
Resource
win10v2004-20241007-en
General
-
Target
0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe
-
Size
559KB
-
MD5
d77a2a8dc301f12498a0ff2d2b18f9d0
-
SHA1
8449189d4ae8dd243beb4da515b9537e324a2e04
-
SHA256
0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb
-
SHA512
0e89ba95ae61b62b5dedd5677a2c9a7e28f6a50d332c9d65c98643e401651389bb181a2a136eb19e8a264f929c8b4b85c007e2a511a5554ead759e7dc9adac7f
-
SSDEEP
12288:ZSHSMmFJXE8QlM+RmM9G9fjmtKgbVGzA:oFmFdEFZRmM9GMthbp
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 5 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Executes dropped EXE 3 IoCs
pid Process 392 QcsQYQUs.exe 4396 uMoAcEks.exe 2468 WqAQMwIs.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QcsQYQUs.exe = "C:\\Users\\Admin\\WaMcUYwo\\QcsQYQUs.exe" 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uMoAcEks.exe = "C:\\ProgramData\\GYcscscY\\uMoAcEks.exe" 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QcsQYQUs.exe = "C:\\Users\\Admin\\WaMcUYwo\\QcsQYQUs.exe" QcsQYQUs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uMoAcEks.exe = "C:\\ProgramData\\GYcscscY\\uMoAcEks.exe" uMoAcEks.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uMoAcEks.exe = "C:\\ProgramData\\GYcscscY\\uMoAcEks.exe" WqAQMwIs.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\WaMcUYwo\QcsQYQUs WqAQMwIs.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\WaMcUYwo WqAQMwIs.exe -
System Location Discovery: System Language Discovery 1 TTPs 39 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uMoAcEks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language QcsQYQUs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 64 IoCs
pid Process 912 reg.exe 212 reg.exe 2808 reg.exe 1272 reg.exe 3416 reg.exe 3532 reg.exe 2568 reg.exe 3440 reg.exe 3116 reg.exe 4508 reg.exe 4356 reg.exe 4068 reg.exe 736 reg.exe 2916 reg.exe 3128 reg.exe 2704 reg.exe 4416 reg.exe 4772 reg.exe 3900 reg.exe 2984 reg.exe 3520 reg.exe 1040 reg.exe 4300 reg.exe 2512 reg.exe 2912 reg.exe 3152 reg.exe 2512 reg.exe 3152 reg.exe 3332 reg.exe 3692 reg.exe 3748 reg.exe 344 reg.exe 3140 reg.exe 3084 reg.exe 3844 reg.exe 4924 reg.exe 740 reg.exe 4976 reg.exe 4528 reg.exe 2004 reg.exe 3900 reg.exe 2296 reg.exe 4936 reg.exe 1636 reg.exe 2296 reg.exe 624 reg.exe 5072 reg.exe 4804 reg.exe 1412 reg.exe 1428 reg.exe 2648 reg.exe 4416 reg.exe 2328 reg.exe 5068 reg.exe 3112 reg.exe 2100 reg.exe 2196 reg.exe 4108 reg.exe 3692 reg.exe 4408 reg.exe 3944 reg.exe 2268 reg.exe 1260 reg.exe 1648 reg.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 3648 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 3648 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 3648 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 3648 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 1460 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 1460 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 1460 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 1460 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 5044 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 5044 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 5044 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 5044 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 1600 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 1600 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 1600 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 1600 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 3152 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 3152 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 3152 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 3152 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 3504 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 3504 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 3504 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 3504 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3648 wrote to memory of 392 3648 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 85 PID 3648 wrote to memory of 392 3648 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 85 PID 3648 wrote to memory of 392 3648 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 85 PID 3648 wrote to memory of 4396 3648 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 87 PID 3648 wrote to memory of 4396 3648 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 87 PID 3648 wrote to memory of 4396 3648 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 87 PID 3648 wrote to memory of 1304 3648 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 90 PID 3648 wrote to memory of 1304 3648 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 90 PID 3648 wrote to memory of 1304 3648 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 90 PID 1304 wrote to memory of 1460 1304 cmd.exe 92 PID 1304 wrote to memory of 1460 1304 cmd.exe 92 PID 1304 wrote to memory of 1460 1304 cmd.exe 92 PID 3648 wrote to memory of 212 3648 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 93 PID 3648 wrote to memory of 212 3648 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 93 PID 3648 wrote to memory of 212 3648 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 93 PID 3648 wrote to memory of 3616 3648 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 94 PID 3648 wrote to memory of 3616 3648 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 94 PID 3648 wrote to memory of 3616 3648 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 94 PID 3648 wrote to memory of 5040 3648 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 95 PID 3648 wrote to memory of 5040 3648 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 95 PID 3648 wrote to memory of 5040 3648 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 95 PID 1460 wrote to memory of 2980 1460 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 99 PID 1460 wrote to memory of 2980 1460 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 99 PID 1460 wrote to memory of 2980 1460 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 99 PID 1460 wrote to memory of 4760 1460 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 101 PID 1460 wrote to memory of 4760 1460 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 101 PID 1460 wrote to memory of 4760 1460 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 101 PID 1460 wrote to memory of 2236 1460 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 102 PID 1460 wrote to memory of 2236 1460 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 102 PID 1460 wrote to memory of 2236 1460 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 102 PID 1460 wrote to memory of 1040 1460 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 103 PID 1460 wrote to memory of 1040 1460 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 103 PID 1460 wrote to memory of 1040 1460 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 103 PID 1460 wrote to memory of 3912 1460 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 104 PID 1460 wrote to memory of 3912 1460 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 104 PID 1460 wrote to memory of 3912 1460 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 104 PID 2980 wrote to memory of 5044 2980 cmd.exe 163 PID 2980 wrote to memory of 5044 2980 cmd.exe 163 PID 2980 wrote to memory of 5044 2980 cmd.exe 163 PID 3912 wrote to memory of 4168 3912 cmd.exe 111 PID 3912 wrote to memory of 4168 3912 cmd.exe 111 PID 3912 wrote to memory of 4168 3912 cmd.exe 111 PID 5044 wrote to memory of 1864 5044 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 176 PID 5044 wrote to memory of 1864 5044 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 176 PID 5044 wrote to memory of 1864 5044 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 176 PID 1864 wrote to memory of 1600 1864 cmd.exe 170 PID 1864 wrote to memory of 1600 1864 cmd.exe 170 PID 1864 wrote to memory of 1600 1864 cmd.exe 170 PID 5044 wrote to memory of 780 5044 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 168 PID 5044 wrote to memory of 780 5044 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 168 PID 5044 wrote to memory of 780 5044 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 168 PID 5044 wrote to memory of 2512 5044 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 116 PID 5044 wrote to memory of 2512 5044 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 116 PID 5044 wrote to memory of 2512 5044 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 116 PID 5044 wrote to memory of 368 5044 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 117 PID 5044 wrote to memory of 368 5044 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 117 PID 5044 wrote to memory of 368 5044 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 117 PID 5044 wrote to memory of 1212 5044 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 118 PID 5044 wrote to memory of 1212 5044 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 118 PID 5044 wrote to memory of 1212 5044 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 118 PID 1600 wrote to memory of 4448 1600 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 123 PID 1600 wrote to memory of 4448 1600 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 123 PID 1600 wrote to memory of 4448 1600 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 123 PID 1600 wrote to memory of 4388 1600 0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe 125
Processes
-
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe"C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\Users\Admin\WaMcUYwo\QcsQYQUs.exe"C:\Users\Admin\WaMcUYwo\QcsQYQUs.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:392
-
-
C:\ProgramData\GYcscscY\uMoAcEks.exe"C:\ProgramData\GYcscscY\uMoAcEks.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4396
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exeC:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exeC:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exeC:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb7⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"8⤵
- System Location Discovery: System Language Discovery
PID:4448 -
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exeC:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb9⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3152 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"10⤵
- System Location Discovery: System Language Discovery
PID:2764 -
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exeC:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb11⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3504 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"12⤵
- System Location Discovery: System Language Discovery
PID:1808 -
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exeC:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb13⤵PID:1640
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"14⤵PID:4812
-
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exeC:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb15⤵PID:1600
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"16⤵PID:4636
-
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exeC:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb17⤵PID:912
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"18⤵PID:4860
-
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exeC:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb19⤵PID:1956
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"20⤵PID:3200
-
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exeC:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb21⤵PID:1112
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"22⤵PID:3564
-
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exeC:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb23⤵PID:1312
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"24⤵PID:3032
-
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exeC:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb25⤵PID:3748
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"26⤵PID:1684
-
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exeC:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb27⤵PID:3520
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"28⤵PID:4356
-
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exeC:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb29⤵PID:212
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"30⤵PID:4280
-
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exeC:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb31⤵PID:2608
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"32⤵PID:1272
-
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exeC:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb33⤵PID:3688
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"34⤵PID:4624
-
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exeC:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb35⤵PID:3528
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"36⤵PID:2792
-
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exeC:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb37⤵PID:3160
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"38⤵PID:2004
-
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exeC:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb39⤵PID:2412
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"40⤵PID:1976
-
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exeC:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb41⤵PID:2240
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"42⤵PID:1680
-
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exeC:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb43⤵PID:4760
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"44⤵PID:4300
-
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exeC:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb45⤵PID:2684
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"46⤵PID:4320
-
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exeC:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb47⤵PID:2500
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"48⤵PID:1328
-
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exeC:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb49⤵PID:32
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"50⤵PID:3032
-
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exeC:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb51⤵PID:3168
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"52⤵PID:2412
-
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exeC:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb53⤵PID:3504
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"54⤵PID:1948
-
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exeC:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb55⤵PID:2328
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"56⤵PID:2608
-
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exeC:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb57⤵PID:2988
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"58⤵PID:2204
-
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exeC:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb59⤵PID:4628
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"60⤵PID:4444
-
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exeC:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb61⤵PID:3440
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"62⤵PID:3616
-
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exeC:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb63⤵PID:1864
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"64⤵PID:2888
-
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exeC:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb65⤵PID:2004
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"66⤵PID:2736
-
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exeC:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb67⤵PID:1976
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"68⤵PID:1768
-
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exeC:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb69⤵PID:2012
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"70⤵PID:968
-
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exeC:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb71⤵PID:2724
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"72⤵PID:1272
-
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exeC:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb73⤵PID:3376
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"74⤵PID:3688
-
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exeC:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb75⤵PID:2204
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"76⤵PID:2012
-
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exeC:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb77⤵PID:2240
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"78⤵PID:3200
-
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exeC:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb79⤵PID:3164
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"80⤵PID:2648
-
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exeC:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb81⤵PID:2964
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"82⤵PID:3076
-
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exeC:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb83⤵PID:1916
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"84⤵PID:1100
-
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exeC:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb85⤵PID:1928
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"86⤵PID:3104
-
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exeC:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb87⤵PID:2040
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"88⤵PID:3308
-
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exeC:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb89⤵PID:4624
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"90⤵PID:2640
-
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exeC:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb91⤵PID:1976
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"92⤵PID:2308
-
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exeC:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb93⤵PID:3028
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"94⤵PID:4064
-
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exeC:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb95⤵PID:212
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"96⤵PID:344
-
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exeC:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb97⤵PID:4300
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"98⤵PID:1260
-
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exeC:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb99⤵PID:2364
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"100⤵PID:3748
-
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exeC:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb101⤵PID:2380
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"102⤵PID:4060
-
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exeC:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb103⤵PID:2436
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"104⤵PID:3000
-
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exeC:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb105⤵PID:1396
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"106⤵PID:5044
-
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exeC:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb107⤵PID:4996
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"108⤵PID:4468
-
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exeC:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb109⤵PID:4920
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"110⤵PID:3164
-
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exeC:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb111⤵PID:2908
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"112⤵PID:4420
-
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exeC:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb113⤵PID:3900
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"114⤵PID:2440
-
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exeC:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb115⤵PID:4324
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"116⤵PID:3828
-
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exeC:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb117⤵PID:4496
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"118⤵PID:380
-
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exeC:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb119⤵PID:3332
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"120⤵PID:1260
-
C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb.exeC:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb121⤵PID:1396
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0696c262659057e52aafb4c6305b08b1196e1236e836d8f971fe1f620de00bfb"122⤵PID:3308
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-