Overview
overview
10Static
static
3main.exe
windows7-x64
1main.exe
windows10-2004-x64
1ransom.exe
windows7-x64
10ransom.exe
windows10-2004-x64
10key_gen/main.exe
windows7-x64
1key_gen/main.exe
windows10-2004-x64
1key_gen/ransom.exe
windows7-x64
9key_gen/ransom.exe
windows10-2004-x64
9ransom/Rel...om.exe
windows7-x64
6ransom/Rel...om.exe
windows10-2004-x64
6ransom/ran...ts.vbs
windows7-x64
1ransom/ran...ts.vbs
windows10-2004-x64
1ransom/ran...hic.js
windows7-x64
3ransom/ran...hic.js
windows10-2004-x64
3ransom/ran...som.js
windows7-x64
3ransom/ran...som.js
windows10-2004-x64
3Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05/11/2024, 16:00
Static task
static1
Behavioral task
behavioral1
Sample
main.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
main.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
ransom.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
ransom.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
key_gen/main.exe
Resource
win7-20240729-en
Behavioral task
behavioral6
Sample
key_gen/main.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
key_gen/ransom.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
key_gen/ransom.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
ransom/Release/ransom.exe
Resource
win7-20240729-en
Behavioral task
behavioral10
Sample
ransom/Release/ransom.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
ransom/ransom/Crypto/RSA/bigdigits.vbs
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
ransom/ransom/Crypto/RSA/bigdigits.vbs
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
ransom/ransom/Cryptographic.js
Resource
win7-20241010-en
Behavioral task
behavioral14
Sample
ransom/ransom/Cryptographic.js
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
ransom/ransom/ransom.js
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
ransom/ransom/ransom.js
Resource
win10v2004-20241007-en
General
-
Target
key_gen/ransom.exe
-
Size
6.4MB
-
MD5
38fb9ac2e51d04182faf81afbef08ab8
-
SHA1
1f325950a7a8e1a2050e954f33d2c3774510bd6e
-
SHA256
1363c8871061ff83ed3dd0fe025b274442d5c30898c02bdfd4981717f4f33b44
-
SHA512
8af5062d6d133379b0ad87439cdf99fc98bff266f03c0a831f84c0c41224c7a97e8e0a5583e8d4b24c04edd0bc6099646ebea3388ffe2fe7917b709604e63406
-
SSDEEP
6144:iODh8y70MgJ+j2ZsKmj82uGBOOGHO0GL2g6VzxazESJx2sYMLoI4H4voKJ+QtDeJ:ik70MZMc0RdQtzH8lhwFbZgaOm
Malware Config
Signatures
-
Renames multiple (221) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops desktop.ini file(s) 25 IoCs
description ioc Process File opened for modification C:\Users\Public\Recorded TV\desktop.ini ransom.exe File opened for modification \??\f:\$RECYCLE.BIN\S-1-5-21-4177215427-74451935-3209572229-1000\desktop.ini ransom.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini ransom.exe File opened for modification C:\Users\Public\Music\desktop.ini ransom.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini ransom.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini ransom.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini ransom.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini ransom.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini ransom.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini ransom.exe File opened for modification C:\Users\Public\Pictures\desktop.ini ransom.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini ransom.exe File opened for modification C:\Users\Public\Videos\desktop.ini ransom.exe File opened for modification C:\Users\Admin\Links\desktop.ini ransom.exe File opened for modification C:\Users\Admin\Searches\desktop.ini ransom.exe File opened for modification C:\Users\Admin\Videos\desktop.ini ransom.exe File opened for modification C:\Users\Public\Downloads\desktop.ini ransom.exe File opened for modification C:\Users\Admin\Music\desktop.ini ransom.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini ransom.exe File opened for modification C:\Users\Public\desktop.ini ransom.exe File opened for modification C:\Users\Public\Documents\desktop.ini ransom.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini ransom.exe File opened for modification C:\Users\Admin\Documents\desktop.ini ransom.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini ransom.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini ransom.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\n: ransom.exe File opened (read-only) \??\p: ransom.exe File opened (read-only) \??\r: ransom.exe File opened (read-only) \??\t: ransom.exe File opened (read-only) \??\y: ransom.exe File opened (read-only) \??\b: ransom.exe File opened (read-only) \??\g: ransom.exe File opened (read-only) \??\l: ransom.exe File opened (read-only) \??\s: ransom.exe File opened (read-only) \??\z: ransom.exe File opened (read-only) \??\h: ransom.exe File opened (read-only) \??\k: ransom.exe File opened (read-only) \??\o: ransom.exe File opened (read-only) \??\v: ransom.exe File opened (read-only) \??\w: ransom.exe File opened (read-only) \??\x: ransom.exe File opened (read-only) \??\a: ransom.exe File opened (read-only) \??\m: ransom.exe File opened (read-only) \??\q: ransom.exe File opened (read-only) \??\u: ransom.exe File opened (read-only) \??\e: ransom.exe File opened (read-only) \??\i: ransom.exe File opened (read-only) \??\j: ransom.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\tmp.bmp" ransom.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe -
Kills process with taskkill 64 IoCs
pid Process 2100 taskkill.exe 1684 taskkill.exe 1828 taskkill.exe 1832 taskkill.exe 2392 taskkill.exe 2912 taskkill.exe 872 taskkill.exe 1556 taskkill.exe 2396 taskkill.exe 1944 taskkill.exe 2944 taskkill.exe 2124 taskkill.exe 2600 taskkill.exe 2684 taskkill.exe 2504 taskkill.exe 1772 taskkill.exe 1084 taskkill.exe 1968 taskkill.exe 2144 taskkill.exe 2828 taskkill.exe 1624 taskkill.exe 1708 taskkill.exe 2940 taskkill.exe 1400 taskkill.exe 1516 taskkill.exe 1120 taskkill.exe 2656 taskkill.exe 1080 taskkill.exe 2088 taskkill.exe 2868 taskkill.exe 1208 taskkill.exe 2408 taskkill.exe 588 taskkill.exe 2800 taskkill.exe 1084 taskkill.exe 2836 taskkill.exe 1328 taskkill.exe 2316 taskkill.exe 2768 taskkill.exe 1328 taskkill.exe 3008 taskkill.exe 1060 taskkill.exe 2096 taskkill.exe 1724 taskkill.exe 1964 taskkill.exe 2260 taskkill.exe 1328 taskkill.exe 2504 taskkill.exe 2784 taskkill.exe 2672 taskkill.exe 1088 taskkill.exe 560 taskkill.exe 1624 taskkill.exe 1712 taskkill.exe 2228 taskkill.exe 908 taskkill.exe 2920 taskkill.exe 1696 taskkill.exe 536 taskkill.exe 1088 taskkill.exe 2040 taskkill.exe 684 taskkill.exe 1604 taskkill.exe 2780 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2332 taskkill.exe Token: SeDebugPrivilege 2600 taskkill.exe Token: SeDebugPrivilege 2912 taskkill.exe Token: SeDebugPrivilege 2180 taskkill.exe Token: SeDebugPrivilege 1516 taskkill.exe Token: SeDebugPrivilege 2036 taskkill.exe Token: SeDebugPrivilege 1328 taskkill.exe Token: SeDebugPrivilege 1084 taskkill.exe Token: SeDebugPrivilege 2260 taskkill.exe Token: SeDebugPrivilege 2316 taskkill.exe Token: SeDebugPrivilege 604 taskkill.exe Token: SeDebugPrivilege 2784 taskkill.exe Token: SeDebugPrivilege 2792 taskkill.exe Token: SeDebugPrivilege 2748 taskkill.exe Token: SeDebugPrivilege 2672 taskkill.exe Token: SeDebugPrivilege 2608 taskkill.exe Token: SeDebugPrivilege 3056 taskkill.exe Token: SeDebugPrivilege 1956 taskkill.exe Token: SeDebugPrivilege 536 taskkill.exe Token: SeDebugPrivilege 1828 taskkill.exe Token: SeDebugPrivilege 2920 taskkill.exe Token: SeDebugPrivilege 1608 taskkill.exe Token: SeDebugPrivilege 2928 taskkill.exe Token: SeDebugPrivilege 1980 taskkill.exe Token: SeDebugPrivilege 2432 taskkill.exe Token: SeDebugPrivilege 1120 taskkill.exe Token: SeDebugPrivilege 1312 taskkill.exe Token: SeDebugPrivilege 1772 taskkill.exe Token: SeDebugPrivilege 912 taskkill.exe Token: SeDebugPrivilege 624 taskkill.exe Token: SeDebugPrivilege 2028 taskkill.exe Token: SeDebugPrivilege 2228 taskkill.exe Token: SeDebugPrivilege 2024 taskkill.exe Token: SeDebugPrivilege 1328 taskkill.exe Token: SeDebugPrivilege 1088 taskkill.exe Token: SeDebugPrivilege 1832 taskkill.exe Token: SeDebugPrivilege 1556 taskkill.exe Token: SeDebugPrivilege 2100 taskkill.exe Token: SeDebugPrivilege 2752 taskkill.exe Token: SeDebugPrivilege 2504 taskkill.exe Token: SeDebugPrivilege 2684 taskkill.exe Token: SeDebugPrivilege 1624 taskkill.exe Token: SeDebugPrivilege 2636 taskkill.exe Token: SeDebugPrivilege 2568 taskkill.exe Token: SeDebugPrivilege 1404 taskkill.exe Token: SeDebugPrivilege 2040 taskkill.exe Token: SeDebugPrivilege 872 taskkill.exe Token: SeDebugPrivilege 2052 taskkill.exe Token: SeDebugPrivilege 1968 taskkill.exe Token: SeDebugPrivilege 1784 taskkill.exe Token: SeDebugPrivilege 2144 taskkill.exe Token: SeDebugPrivilege 684 taskkill.exe Token: SeDebugPrivilege 1604 taskkill.exe Token: SeDebugPrivilege 1060 taskkill.exe Token: SeDebugPrivilege 908 taskkill.exe Token: SeDebugPrivilege 1724 taskkill.exe Token: SeDebugPrivilege 1740 taskkill.exe Token: SeDebugPrivilege 1684 taskkill.exe Token: SeDebugPrivilege 1864 taskkill.exe Token: SeDebugPrivilege 3008 taskkill.exe Token: SeDebugPrivilege 2408 taskkill.exe Token: SeDebugPrivilege 2852 taskkill.exe Token: SeDebugPrivilege 1088 taskkill.exe Token: SeDebugPrivilege 2096 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2208 wrote to memory of 2452 2208 ransom.exe 32 PID 2208 wrote to memory of 2452 2208 ransom.exe 32 PID 2208 wrote to memory of 2452 2208 ransom.exe 32 PID 2208 wrote to memory of 2452 2208 ransom.exe 32 PID 2452 wrote to memory of 2332 2452 cmd.exe 33 PID 2452 wrote to memory of 2332 2452 cmd.exe 33 PID 2452 wrote to memory of 2332 2452 cmd.exe 33 PID 2452 wrote to memory of 2332 2452 cmd.exe 33 PID 2208 wrote to memory of 2568 2208 ransom.exe 35 PID 2208 wrote to memory of 2568 2208 ransom.exe 35 PID 2208 wrote to memory of 2568 2208 ransom.exe 35 PID 2208 wrote to memory of 2568 2208 ransom.exe 35 PID 2568 wrote to memory of 2600 2568 cmd.exe 36 PID 2568 wrote to memory of 2600 2568 cmd.exe 36 PID 2568 wrote to memory of 2600 2568 cmd.exe 36 PID 2568 wrote to memory of 2600 2568 cmd.exe 36 PID 2208 wrote to memory of 1504 2208 ransom.exe 38 PID 2208 wrote to memory of 1504 2208 ransom.exe 38 PID 2208 wrote to memory of 1504 2208 ransom.exe 38 PID 2208 wrote to memory of 1504 2208 ransom.exe 38 PID 1504 wrote to memory of 2912 1504 cmd.exe 39 PID 1504 wrote to memory of 2912 1504 cmd.exe 39 PID 1504 wrote to memory of 2912 1504 cmd.exe 39 PID 1504 wrote to memory of 2912 1504 cmd.exe 39 PID 2208 wrote to memory of 1456 2208 ransom.exe 40 PID 2208 wrote to memory of 1456 2208 ransom.exe 40 PID 2208 wrote to memory of 1456 2208 ransom.exe 40 PID 2208 wrote to memory of 1456 2208 ransom.exe 40 PID 1456 wrote to memory of 2180 1456 cmd.exe 41 PID 1456 wrote to memory of 2180 1456 cmd.exe 41 PID 1456 wrote to memory of 2180 1456 cmd.exe 41 PID 1456 wrote to memory of 2180 1456 cmd.exe 41 PID 2208 wrote to memory of 2028 2208 ransom.exe 42 PID 2208 wrote to memory of 2028 2208 ransom.exe 42 PID 2208 wrote to memory of 2028 2208 ransom.exe 42 PID 2208 wrote to memory of 2028 2208 ransom.exe 42 PID 2028 wrote to memory of 1516 2028 cmd.exe 43 PID 2028 wrote to memory of 1516 2028 cmd.exe 43 PID 2028 wrote to memory of 1516 2028 cmd.exe 43 PID 2028 wrote to memory of 1516 2028 cmd.exe 43 PID 2208 wrote to memory of 568 2208 ransom.exe 44 PID 2208 wrote to memory of 568 2208 ransom.exe 44 PID 2208 wrote to memory of 568 2208 ransom.exe 44 PID 2208 wrote to memory of 568 2208 ransom.exe 44 PID 568 wrote to memory of 2036 568 cmd.exe 45 PID 568 wrote to memory of 2036 568 cmd.exe 45 PID 568 wrote to memory of 2036 568 cmd.exe 45 PID 568 wrote to memory of 2036 568 cmd.exe 45 PID 2208 wrote to memory of 2236 2208 ransom.exe 46 PID 2208 wrote to memory of 2236 2208 ransom.exe 46 PID 2208 wrote to memory of 2236 2208 ransom.exe 46 PID 2208 wrote to memory of 2236 2208 ransom.exe 46 PID 2236 wrote to memory of 1328 2236 cmd.exe 47 PID 2236 wrote to memory of 1328 2236 cmd.exe 47 PID 2236 wrote to memory of 1328 2236 cmd.exe 47 PID 2236 wrote to memory of 1328 2236 cmd.exe 47 PID 2208 wrote to memory of 1096 2208 ransom.exe 48 PID 2208 wrote to memory of 1096 2208 ransom.exe 48 PID 2208 wrote to memory of 1096 2208 ransom.exe 48 PID 2208 wrote to memory of 1096 2208 ransom.exe 48 PID 1096 wrote to memory of 1084 1096 cmd.exe 49 PID 1096 wrote to memory of 1084 1096 cmd.exe 49 PID 1096 wrote to memory of 1084 1096 cmd.exe 49 PID 1096 wrote to memory of 1084 1096 cmd.exe 49
Processes
-
C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe"C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe"1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2332
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2600
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2912
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2180
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1516
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2036
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1328
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1084
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:528
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2260
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:2300
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2316
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:2340
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Suspicious use of AdjustPrivilegeToken
PID:604
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:2760
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2784
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:2684
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2792
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:2720
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2748
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:2604
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2672
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:3052
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2608
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- System Location Discovery: System Language Discovery
PID:2396 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3056
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:1340
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1956
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:2884
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:536
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:2052
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1828
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:1968
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2920
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:3068
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1608
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:3040
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2928
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:2364
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1980
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:1944
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2432
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:1588
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1120
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:972
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1312
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:2220
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1772
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- System Location Discovery: System Language Discovery
PID:1964 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:912
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- System Location Discovery: System Language Discovery
PID:1752 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Suspicious use of AdjustPrivilegeToken
PID:624
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- System Location Discovery: System Language Discovery
PID:1884 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2028
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- System Location Discovery: System Language Discovery
PID:3020 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2228
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:2128
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2024
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:2204
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1328
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:2888
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1088
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- System Location Discovery: System Language Discovery
PID:1824 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1832
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- System Location Discovery: System Language Discovery
PID:1676 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1556
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- System Location Discovery: System Language Discovery
PID:2080 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2100
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:2340
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2752
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:2760
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2504
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- System Location Discovery: System Language Discovery
PID:2792 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2684
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:2868
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1624
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:2612
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2636
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:3052
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2568
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:2396
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1404
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:1340
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2040
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- System Location Discovery: System Language Discovery
PID:2736 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:872
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- System Location Discovery: System Language Discovery
PID:1828 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2052
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- System Location Discovery: System Language Discovery
PID:556 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1968
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:1608
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1784
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- System Location Discovery: System Language Discovery
PID:1952 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2144
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:1664
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:684
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:2020
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1604
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- System Location Discovery: System Language Discovery
PID:112 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1060
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:1588
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:908
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:1672
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1724
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:1600
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1740
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:2392
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1684
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:2800
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1864
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- System Location Discovery: System Language Discovery
PID:3032 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3008
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:2268
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2408
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:1652
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2852
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:884
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1088
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:2260
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2096
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:2836
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:2072
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:2288
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:2668
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:2976
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
PID:2828
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:1068
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
PID:2504
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:2676
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:2684
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:2576
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
PID:1624
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:2636
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- System Location Discovery: System Language Discovery
PID:2612
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- System Location Discovery: System Language Discovery
PID:2568 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:3052
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:1984
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:2572
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:1340
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- System Location Discovery: System Language Discovery
PID:536
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:2848
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- System Location Discovery: System Language Discovery
PID:872
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:1400
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:588
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:2948
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
PID:2920
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:2136
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:1748
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:1064
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:1820
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:2656
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:1972
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:1060
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:112
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:908
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- System Location Discovery: System Language Discovery
PID:1588
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:1724
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:1672
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- System Location Discovery: System Language Discovery
PID:1600 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
PID:1964
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:812
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
PID:2088
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- System Location Discovery: System Language Discovery
PID:1864 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:2800
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:824
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
PID:1712
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:3012
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:2028
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- System Location Discovery: System Language Discovery
PID:2408 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:2268
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:1652
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:952
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:1656
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
PID:1084
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:1824
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:1832
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:1676
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
PID:1556
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:2100
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:2352
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- System Location Discovery: System Language Discovery
PID:2820 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:2780
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:604
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
PID:2768
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:2816
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
PID:2504
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:2812
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- System Location Discovery: System Language Discovery
PID:2252
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:2616
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
PID:2868
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:1688
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- System Location Discovery: System Language Discovery
PID:2556
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- System Location Discovery: System Language Discovery
PID:2420 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- System Location Discovery: System Language Discovery
PID:344
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:2448
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:2396
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:2916
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:2884
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- System Location Discovery: System Language Discovery
PID:860 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:2736
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- System Location Discovery: System Language Discovery
PID:1436 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- System Location Discovery: System Language Discovery
PID:880
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:1264
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:3068
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:2936
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- System Location Discovery: System Language Discovery
PID:3064
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:684
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:1944
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:3036
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:448
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:1192
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:1316
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:2892
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
PID:1772
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:2440
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:924
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:1500
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
PID:1208
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- System Location Discovery: System Language Discovery
PID:940 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:1412
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- System Location Discovery: System Language Discovery
PID:2060 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
PID:1708
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:3016
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:1596
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:568
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:2128
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:2368
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:1328
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- System Location Discovery: System Language Discovery
PID:580 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:2344
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:1764
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
PID:1088
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:2064
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
PID:1696
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- System Location Discovery: System Language Discovery
PID:2664 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
PID:2836
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:2304
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:1960
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:2348
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:2068
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- System Location Discovery: System Language Discovery
PID:2976 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- System Location Discovery: System Language Discovery
PID:2592
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:2412
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- System Location Discovery: System Language Discovery
PID:2564
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:2676
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:2712
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- System Location Discovery: System Language Discovery
PID:3044 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:2772
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:2680
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:2608
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:2932
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
PID:2940
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:2296
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:1396
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:864
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:536
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:848
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:2848
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:1224
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:1400
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:1508
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:2156
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:3024
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
PID:2944
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- System Location Discovery: System Language Discovery
PID:2016 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:2244
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:1476
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
PID:2656
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:2860
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:1900
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:988
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:2124
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- System Location Discovery: System Language Discovery
PID:2892 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- System Location Discovery: System Language Discovery
PID:912
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:1456
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:996
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:1600
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
PID:2392
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:1092
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:560
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:1864
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:1796
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- System Location Discovery: System Language Discovery
PID:3028 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
PID:3008
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:2024
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
PID:1080
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:2852
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:932
-
-