Overview
overview
10Static
static
3main.exe
windows7-x64
1main.exe
windows10-2004-x64
1ransom.exe
windows7-x64
10ransom.exe
windows10-2004-x64
10key_gen/main.exe
windows7-x64
1key_gen/main.exe
windows10-2004-x64
1key_gen/ransom.exe
windows7-x64
9key_gen/ransom.exe
windows10-2004-x64
9ransom/Rel...om.exe
windows7-x64
6ransom/Rel...om.exe
windows10-2004-x64
6ransom/ran...ts.vbs
windows7-x64
1ransom/ran...ts.vbs
windows10-2004-x64
1ransom/ran...hic.js
windows7-x64
3ransom/ran...hic.js
windows10-2004-x64
3ransom/ran...som.js
windows7-x64
3ransom/ran...som.js
windows10-2004-x64
3Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05/11/2024, 16:00
Static task
static1
Behavioral task
behavioral1
Sample
main.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
main.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
ransom.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
ransom.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
key_gen/main.exe
Resource
win7-20240729-en
Behavioral task
behavioral6
Sample
key_gen/main.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
key_gen/ransom.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
key_gen/ransom.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
ransom/Release/ransom.exe
Resource
win7-20240729-en
Behavioral task
behavioral10
Sample
ransom/Release/ransom.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
ransom/ransom/Crypto/RSA/bigdigits.vbs
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
ransom/ransom/Crypto/RSA/bigdigits.vbs
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
ransom/ransom/Cryptographic.js
Resource
win7-20241010-en
Behavioral task
behavioral14
Sample
ransom/ransom/Cryptographic.js
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
ransom/ransom/ransom.js
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
ransom/ransom/ransom.js
Resource
win10v2004-20241007-en
General
-
Target
key_gen/ransom.exe
-
Size
6.4MB
-
MD5
38fb9ac2e51d04182faf81afbef08ab8
-
SHA1
1f325950a7a8e1a2050e954f33d2c3774510bd6e
-
SHA256
1363c8871061ff83ed3dd0fe025b274442d5c30898c02bdfd4981717f4f33b44
-
SHA512
8af5062d6d133379b0ad87439cdf99fc98bff266f03c0a831f84c0c41224c7a97e8e0a5583e8d4b24c04edd0bc6099646ebea3388ffe2fe7917b709604e63406
-
SSDEEP
6144:iODh8y70MgJ+j2ZsKmj82uGBOOGHO0GL2g6VzxazESJx2sYMLoI4H4voKJ+QtDeJ:ik70MZMc0RdQtzH8lhwFbZgaOm
Malware Config
Signatures
-
Renames multiple (147) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops desktop.ini file(s) 23 IoCs
description ioc Process File opened for modification C:\Users\Admin\Desktop\desktop.ini ransom.exe File opened for modification C:\Users\Admin\Searches\desktop.ini ransom.exe File opened for modification C:\Users\Admin\Videos\desktop.ini ransom.exe File opened for modification C:\Users\Public\Pictures\desktop.ini ransom.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini ransom.exe File opened for modification \??\f:\$RECYCLE.BIN\S-1-5-21-2878641211-696417878-3864914810-1000\desktop.ini ransom.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini ransom.exe File opened for modification C:\Users\Admin\Documents\desktop.ini ransom.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini ransom.exe File opened for modification C:\Users\Public\Downloads\desktop.ini ransom.exe File opened for modification C:\Users\Public\Documents\desktop.ini ransom.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini ransom.exe File opened for modification C:\Users\Admin\Music\desktop.ini ransom.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini ransom.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini ransom.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini ransom.exe File opened for modification C:\Users\Public\desktop.ini ransom.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini ransom.exe File opened for modification C:\Users\Admin\Links\desktop.ini ransom.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini ransom.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini ransom.exe File opened for modification C:\Users\Public\Music\desktop.ini ransom.exe File opened for modification C:\Users\Public\Videos\desktop.ini ransom.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\t: ransom.exe File opened (read-only) \??\u: ransom.exe File opened (read-only) \??\w: ransom.exe File opened (read-only) \??\x: ransom.exe File opened (read-only) \??\i: ransom.exe File opened (read-only) \??\e: ransom.exe File opened (read-only) \??\g: ransom.exe File opened (read-only) \??\h: ransom.exe File opened (read-only) \??\l: ransom.exe File opened (read-only) \??\m: ransom.exe File opened (read-only) \??\q: ransom.exe File opened (read-only) \??\y: ransom.exe File opened (read-only) \??\b: ransom.exe File opened (read-only) \??\n: ransom.exe File opened (read-only) \??\r: ransom.exe File opened (read-only) \??\s: ransom.exe File opened (read-only) \??\z: ransom.exe File opened (read-only) \??\a: ransom.exe File opened (read-only) \??\k: ransom.exe File opened (read-only) \??\o: ransom.exe File opened (read-only) \??\p: ransom.exe File opened (read-only) \??\v: ransom.exe File opened (read-only) \??\j: ransom.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\tmp.bmp" ransom.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Kills process with taskkill 64 IoCs
pid Process 1004 taskkill.exe 5016 taskkill.exe 2004 taskkill.exe 2808 taskkill.exe 4948 taskkill.exe 2024 taskkill.exe 2856 taskkill.exe 3504 taskkill.exe 4704 taskkill.exe 2464 taskkill.exe 1220 taskkill.exe 2492 taskkill.exe 3464 taskkill.exe 808 taskkill.exe 2096 taskkill.exe 4296 taskkill.exe 4412 taskkill.exe 3792 taskkill.exe 1608 taskkill.exe 4992 taskkill.exe 4640 taskkill.exe 4980 taskkill.exe 788 taskkill.exe 2200 taskkill.exe 3936 taskkill.exe 2968 taskkill.exe 2288 taskkill.exe 2028 taskkill.exe 2100 taskkill.exe 4044 taskkill.exe 3012 taskkill.exe 1336 taskkill.exe 808 taskkill.exe 5112 taskkill.exe 4924 taskkill.exe 1764 taskkill.exe 2244 taskkill.exe 4092 taskkill.exe 2464 taskkill.exe 2736 taskkill.exe 2828 taskkill.exe 4244 taskkill.exe 2812 taskkill.exe 4268 taskkill.exe 412 taskkill.exe 4088 taskkill.exe 948 taskkill.exe 5036 taskkill.exe 4396 taskkill.exe 3232 taskkill.exe 1072 taskkill.exe 4020 taskkill.exe 2332 taskkill.exe 2100 taskkill.exe 2336 taskkill.exe 4296 taskkill.exe 4684 taskkill.exe 180 taskkill.exe 4980 taskkill.exe 2456 taskkill.exe 2804 taskkill.exe 3496 taskkill.exe 528 taskkill.exe 4664 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3132 taskkill.exe Token: SeDebugPrivilege 1004 taskkill.exe Token: SeDebugPrivilege 1764 taskkill.exe Token: SeDebugPrivilege 2812 taskkill.exe Token: SeDebugPrivilege 4328 taskkill.exe Token: SeDebugPrivilege 5112 taskkill.exe Token: SeDebugPrivilege 4980 taskkill.exe Token: SeDebugPrivilege 3012 taskkill.exe Token: SeDebugPrivilege 2980 taskkill.exe Token: SeDebugPrivilege 4020 taskkill.exe Token: SeDebugPrivilege 4948 taskkill.exe Token: SeDebugPrivilege 4412 taskkill.exe Token: SeDebugPrivilege 4796 taskkill.exe Token: SeDebugPrivilege 656 taskkill.exe Token: SeDebugPrivilege 788 taskkill.exe Token: SeDebugPrivilege 4268 taskkill.exe Token: SeDebugPrivilege 4472 taskkill.exe Token: SeDebugPrivilege 2332 taskkill.exe Token: SeDebugPrivilege 528 taskkill.exe Token: SeDebugPrivilege 1588 taskkill.exe Token: SeDebugPrivilege 4648 taskkill.exe Token: SeDebugPrivilege 4864 taskkill.exe Token: SeDebugPrivilege 3232 taskkill.exe Token: SeDebugPrivilege 2796 taskkill.exe Token: SeDebugPrivilege 3792 taskkill.exe Token: SeDebugPrivilege 2492 taskkill.exe Token: SeDebugPrivilege 4020 taskkill.exe Token: SeDebugPrivilege 2200 taskkill.exe Token: SeDebugPrivilege 3740 taskkill.exe Token: SeDebugPrivilege 2816 taskkill.exe Token: SeDebugPrivilege 2968 taskkill.exe Token: SeDebugPrivilege 3136 taskkill.exe Token: SeDebugPrivilege 1072 taskkill.exe Token: SeDebugPrivilege 2396 taskkill.exe Token: SeDebugPrivilege 412 taskkill.exe Token: SeDebugPrivilege 808 taskkill.exe Token: SeDebugPrivilege 3284 taskkill.exe Token: SeDebugPrivilege 4088 taskkill.exe Token: SeDebugPrivilege 3464 taskkill.exe Token: SeDebugPrivilege 2484 taskkill.exe Token: SeDebugPrivilege 1608 taskkill.exe Token: SeDebugPrivilege 2648 taskkill.exe Token: SeDebugPrivilege 1972 taskkill.exe Token: SeDebugPrivilege 2244 taskkill.exe Token: SeDebugPrivilege 2288 taskkill.exe Token: SeDebugPrivilege 4976 taskkill.exe Token: SeDebugPrivilege 540 taskkill.exe Token: SeDebugPrivilege 2100 taskkill.exe Token: SeDebugPrivilege 2760 taskkill.exe Token: SeDebugPrivilege 4092 taskkill.exe Token: SeDebugPrivilege 5080 taskkill.exe Token: SeDebugPrivilege 2464 taskkill.exe Token: SeDebugPrivilege 948 taskkill.exe Token: SeDebugPrivilege 2932 taskkill.exe Token: SeDebugPrivilege 2856 taskkill.exe Token: SeDebugPrivilege 3964 taskkill.exe Token: SeDebugPrivilege 4272 taskkill.exe Token: SeDebugPrivilege 4980 taskkill.exe Token: SeDebugPrivilege 1344 taskkill.exe Token: SeDebugPrivilege 2336 taskkill.exe Token: SeDebugPrivilege 4664 taskkill.exe Token: SeDebugPrivilege 4020 taskkill.exe Token: SeDebugPrivilege 3504 taskkill.exe Token: SeDebugPrivilege 3496 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3928 wrote to memory of 1516 3928 ransom.exe 87 PID 3928 wrote to memory of 1516 3928 ransom.exe 87 PID 3928 wrote to memory of 1516 3928 ransom.exe 87 PID 1516 wrote to memory of 3132 1516 cmd.exe 88 PID 1516 wrote to memory of 3132 1516 cmd.exe 88 PID 1516 wrote to memory of 3132 1516 cmd.exe 88 PID 3928 wrote to memory of 4544 3928 ransom.exe 90 PID 3928 wrote to memory of 4544 3928 ransom.exe 90 PID 3928 wrote to memory of 4544 3928 ransom.exe 90 PID 4544 wrote to memory of 1004 4544 cmd.exe 91 PID 4544 wrote to memory of 1004 4544 cmd.exe 91 PID 4544 wrote to memory of 1004 4544 cmd.exe 91 PID 3928 wrote to memory of 1604 3928 ransom.exe 93 PID 3928 wrote to memory of 1604 3928 ransom.exe 93 PID 3928 wrote to memory of 1604 3928 ransom.exe 93 PID 1604 wrote to memory of 1764 1604 cmd.exe 94 PID 1604 wrote to memory of 1764 1604 cmd.exe 94 PID 1604 wrote to memory of 1764 1604 cmd.exe 94 PID 3928 wrote to memory of 3780 3928 ransom.exe 97 PID 3928 wrote to memory of 3780 3928 ransom.exe 97 PID 3928 wrote to memory of 3780 3928 ransom.exe 97 PID 3780 wrote to memory of 2812 3780 cmd.exe 98 PID 3780 wrote to memory of 2812 3780 cmd.exe 98 PID 3780 wrote to memory of 2812 3780 cmd.exe 98 PID 3928 wrote to memory of 2984 3928 ransom.exe 100 PID 3928 wrote to memory of 2984 3928 ransom.exe 100 PID 3928 wrote to memory of 2984 3928 ransom.exe 100 PID 2984 wrote to memory of 4328 2984 cmd.exe 101 PID 2984 wrote to memory of 4328 2984 cmd.exe 101 PID 2984 wrote to memory of 4328 2984 cmd.exe 101 PID 3928 wrote to memory of 1172 3928 ransom.exe 103 PID 3928 wrote to memory of 1172 3928 ransom.exe 103 PID 3928 wrote to memory of 1172 3928 ransom.exe 103 PID 1172 wrote to memory of 5112 1172 cmd.exe 104 PID 1172 wrote to memory of 5112 1172 cmd.exe 104 PID 1172 wrote to memory of 5112 1172 cmd.exe 104 PID 3928 wrote to memory of 4900 3928 ransom.exe 105 PID 3928 wrote to memory of 4900 3928 ransom.exe 105 PID 3928 wrote to memory of 4900 3928 ransom.exe 105 PID 4900 wrote to memory of 4980 4900 cmd.exe 106 PID 4900 wrote to memory of 4980 4900 cmd.exe 106 PID 4900 wrote to memory of 4980 4900 cmd.exe 106 PID 3928 wrote to memory of 2336 3928 ransom.exe 109 PID 3928 wrote to memory of 2336 3928 ransom.exe 109 PID 3928 wrote to memory of 2336 3928 ransom.exe 109 PID 2336 wrote to memory of 3012 2336 cmd.exe 110 PID 2336 wrote to memory of 3012 2336 cmd.exe 110 PID 2336 wrote to memory of 3012 2336 cmd.exe 110 PID 3928 wrote to memory of 4356 3928 ransom.exe 111 PID 3928 wrote to memory of 4356 3928 ransom.exe 111 PID 3928 wrote to memory of 4356 3928 ransom.exe 111 PID 4356 wrote to memory of 2980 4356 cmd.exe 112 PID 4356 wrote to memory of 2980 4356 cmd.exe 112 PID 4356 wrote to memory of 2980 4356 cmd.exe 112 PID 3928 wrote to memory of 636 3928 ransom.exe 113 PID 3928 wrote to memory of 636 3928 ransom.exe 113 PID 3928 wrote to memory of 636 3928 ransom.exe 113 PID 636 wrote to memory of 4020 636 cmd.exe 114 PID 636 wrote to memory of 4020 636 cmd.exe 114 PID 636 wrote to memory of 4020 636 cmd.exe 114 PID 3928 wrote to memory of 2244 3928 ransom.exe 119 PID 3928 wrote to memory of 2244 3928 ransom.exe 119 PID 3928 wrote to memory of 2244 3928 ransom.exe 119 PID 2244 wrote to memory of 4948 2244 cmd.exe 120
Processes
-
C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe"C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe"1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
PID:3928 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3132
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1004
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1764
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2812
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4328
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5112
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4980
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3012
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2980
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4020
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4948
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:4504
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4412
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:3096
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4796
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:2840
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:656
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:3648
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:788
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:232
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4268
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:2320
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4472
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:4320
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2332
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:4404
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:528
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:1820
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1588
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:1860
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4648
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:4088
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4864
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:3464
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3232
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- System Location Discovery: System Language Discovery
PID:4568 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2796
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:4860
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3792
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- System Location Discovery: System Language Discovery
PID:3500 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2492
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- System Location Discovery: System Language Discovery
PID:4304 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4020
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- System Location Discovery: System Language Discovery
PID:2532 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2200
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:3448
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3740
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- System Location Discovery: System Language Discovery
PID:856 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2816
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:1092
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2968
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:4092
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3136
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:4872
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1072
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:2076
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2396
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:1504
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:412
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:1268
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:808
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- System Location Discovery: System Language Discovery
PID:3984 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3284
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:4864
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4088
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:2088
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3464
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:5052
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2484
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:3012
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1608
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:2980
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2648
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:4196
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1972
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:4188
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2244
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:2064
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2288
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:2544
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4976
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- System Location Discovery: System Language Discovery
PID:2836 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Suspicious use of AdjustPrivilegeToken
PID:540
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- System Location Discovery: System Language Discovery
PID:2812 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2100
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:3172
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2760
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:3136
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4092
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:4396
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5080
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:3648
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2464
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:3224
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:948
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:4060
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2932
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- System Location Discovery: System Language Discovery
PID:4328 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2856
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:5112
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3964
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- System Location Discovery: System Language Discovery
PID:1176 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4272
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:3820
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4980
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:4360
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1344
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:432
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2336
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:3652
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4664
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:1844
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4020
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- System Location Discovery: System Language Discovery
PID:2704 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3504
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- System Location Discovery: System Language Discovery
PID:1876 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3496
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:2064
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:4264
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:4692
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:1520
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:3208
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:4532
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:4684
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:4268
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:1304
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:4916
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:3936
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- System Location Discovery: System Language Discovery
PID:2476
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- System Location Discovery: System Language Discovery
PID:2396 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:4056
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- System Location Discovery: System Language Discovery
PID:1732 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:1352
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:2272
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:4704
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:3964
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
PID:5112
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:3804
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:3164
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:3776
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
PID:5036
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:4744
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- System Location Discovery: System Language Discovery
PID:1716
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- System Location Discovery: System Language Discovery
PID:3200 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:2372
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:1920
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- System Location Discovery: System Language Discovery
PID:1356
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:3792
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:3012
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- System Location Discovery: System Language Discovery
PID:1004 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:2828
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- System Location Discovery: System Language Discovery
PID:1376 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:3436
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:2848
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
PID:2736
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:3032
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- System Location Discovery: System Language Discovery
PID:1032
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:2288
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
PID:2456
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:900
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:4688
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:3448
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:2536
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- System Location Discovery: System Language Discovery
PID:4184 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:4636
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- System Location Discovery: System Language Discovery
PID:4884 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:5016
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:3708
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:3780
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:4480
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
PID:4992
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:3480
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:4396
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:3136
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- System Location Discovery: System Language Discovery
PID:3428
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:740
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:232
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:2504
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:2024
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:4292
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- System Location Discovery: System Language Discovery
PID:532
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:4788
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
PID:4296
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:344
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:1268
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:3964
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:1892
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:1404
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
PID:4244
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:2704
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:1984
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:1684
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:2004
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:4976
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:456
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:1848
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
PID:2804
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:3708
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
PID:1336
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:1948
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
PID:4684
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:4340
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
PID:2464
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:4916
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:2476
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:2020
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:3864
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:4040
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
PID:4924
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:4056
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:4876
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:4296
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:4788
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- System Location Discovery: System Language Discovery
PID:1808 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- System Location Discovery: System Language Discovery
PID:1820
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:4864
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:4576
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- System Location Discovery: System Language Discovery
PID:2336 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:2368
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- System Location Discovery: System Language Discovery
PID:3876 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
PID:808
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:2292
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
PID:2028
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:4664
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- System Location Discovery: System Language Discovery
PID:1964
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:3544
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:3680
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:2704
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
PID:1220
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:3788
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
PID:4640
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:4868
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- System Location Discovery: System Language Discovery
PID:2544
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:3728
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:1192
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:4020
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
PID:2808
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- System Location Discovery: System Language Discovery
PID:4636 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
PID:2096
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:3448
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:2000
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:2536
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
PID:2100
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:1092
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:964
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:4396
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:3400
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- System Location Discovery: System Language Discovery
PID:4332 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:3940
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- System Location Discovery: System Language Discovery
PID:2036 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:2932
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:4384
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
PID:3936
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- System Location Discovery: System Language Discovery
PID:3696 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:728
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- System Location Discovery: System Language Discovery
PID:4788 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
PID:4296
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:1820
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:1268
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- System Location Discovery: System Language Discovery
PID:1404 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
PID:2828
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:4504
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:3496
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:3544
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:4356
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- System Location Discovery: System Language Discovery
PID:2704 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- System Location Discovery: System Language Discovery
PID:4372
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:2200
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:4492
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:4392
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- System Location Discovery: System Language Discovery
PID:1376
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:3728
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:1608
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- System Location Discovery: System Language Discovery
PID:1764 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:5016
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:3352
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
PID:4044
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:368
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:2684
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵PID:2536
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:180
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- System Location Discovery: System Language Discovery
PID:3912 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵
- Kills process with taskkill
PID:4980
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im mmc.exe /t2⤵
- System Location Discovery: System Language Discovery
PID:5040 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mmc.exe /t3⤵PID:4572
-
-