Analysis
-
max time kernel
120s -
max time network
107s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
06/11/2024, 00:10
Static task
static1
Behavioral task
behavioral1
Sample
db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe
Resource
win10v2004-20241007-en
General
-
Target
db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe
-
Size
197KB
-
MD5
3f83ff6ed6c5143c3f5b5d2df211d870
-
SHA1
a4690dd168ddf64cc0d8668f918c16650e9d8856
-
SHA256
db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9
-
SHA512
48c4ca30e1d5100479974a53c186b70f7c028206430f5b353b112985e625d745a3569d74fc79a98f0775e30c779b989d927332b607aa144b1419e1478686d037
-
SSDEEP
3072:x8eCcdYyihtjS7oIVTZMbRbdY7+EkYV/912r/zDI4Bun7uhKD5kY6q4:ieSyihxS7oIsbNO91YL7eKxR
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found -
Renames multiple (86) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation gwooEwMc.exe -
Executes dropped EXE 2 IoCs
pid Process 4520 gwooEwMc.exe 3240 mucsYUUU.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gwooEwMc.exe = "C:\\Users\\Admin\\lKwcEkEY\\gwooEwMc.exe" db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mucsYUUU.exe = "C:\\ProgramData\\xGYksgIk\\mucsYUUU.exe" db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gwooEwMc.exe = "C:\\Users\\Admin\\lKwcEkEY\\gwooEwMc.exe" gwooEwMc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mucsYUUU.exe = "C:\\ProgramData\\xGYksgIk\\mucsYUUU.exe" mucsYUUU.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\shell32.dll.exe gwooEwMc.exe File opened for modification C:\Windows\SysWOW64\shell32.dll.exe gwooEwMc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 64 IoCs
pid Process 4432 reg.exe 2292 reg.exe 4852 reg.exe 3688 Process not Found 4016 Process not Found 4916 reg.exe 4368 reg.exe 2184 reg.exe 3656 Process not Found 4016 reg.exe 4756 Process not Found 4792 Process not Found 1880 reg.exe 4516 reg.exe 1864 reg.exe 4756 reg.exe 2572 reg.exe 1276 reg.exe 4616 reg.exe 3980 reg.exe 1788 reg.exe 4340 Process not Found 4104 reg.exe 3292 reg.exe 4976 reg.exe 4248 reg.exe 1604 reg.exe 3304 Process not Found 3424 reg.exe 1196 reg.exe 1196 reg.exe 3104 Process not Found 2132 reg.exe 1472 reg.exe 1828 reg.exe 4836 Process not Found 228 reg.exe 3724 Process not Found 4916 Process not Found 4296 reg.exe 2792 reg.exe 4836 reg.exe 4516 Process not Found 4876 reg.exe 960 reg.exe 228 reg.exe 624 reg.exe 1232 reg.exe 3436 Process not Found 1696 reg.exe 1788 reg.exe 432 reg.exe 3592 reg.exe 4248 reg.exe 544 reg.exe 2936 reg.exe 1916 reg.exe 2128 reg.exe 1696 reg.exe 4256 Process not Found 1988 Process not Found 4528 Process not Found 4824 reg.exe 3300 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4560 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 4560 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 4560 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 4560 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 1612 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 1612 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 1612 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 1612 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 4760 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 4760 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 4760 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 4760 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 1700 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 1700 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 1700 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 1700 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 1784 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 1784 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 1784 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 1784 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 1388 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 1388 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 1388 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 1388 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 4528 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 4528 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 4528 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 4528 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 1196 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 1196 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 1196 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 1196 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 3596 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 3596 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 3596 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 3596 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 3796 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 3796 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 3796 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 3796 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 2412 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 2412 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 2412 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 2412 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 5016 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 5016 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 5016 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 5016 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 3328 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 3328 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 3328 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 3328 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 2948 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 2948 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 2948 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 2948 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 1912 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 1912 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 1912 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 1912 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 1876 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 1876 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 1876 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 1876 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4520 gwooEwMc.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4520 gwooEwMc.exe 4520 gwooEwMc.exe 4520 gwooEwMc.exe 4520 gwooEwMc.exe 4520 gwooEwMc.exe 4520 gwooEwMc.exe 4520 gwooEwMc.exe 4520 gwooEwMc.exe 4520 gwooEwMc.exe 4520 gwooEwMc.exe 4520 gwooEwMc.exe 4520 gwooEwMc.exe 4520 gwooEwMc.exe 4520 gwooEwMc.exe 4520 gwooEwMc.exe 4520 gwooEwMc.exe 4520 gwooEwMc.exe 4520 gwooEwMc.exe 4520 gwooEwMc.exe 4520 gwooEwMc.exe 4520 gwooEwMc.exe 4520 gwooEwMc.exe 4520 gwooEwMc.exe 4520 gwooEwMc.exe 4520 gwooEwMc.exe 4520 gwooEwMc.exe 4520 gwooEwMc.exe 4520 gwooEwMc.exe 4520 gwooEwMc.exe 4520 gwooEwMc.exe 4520 gwooEwMc.exe 4520 gwooEwMc.exe 4520 gwooEwMc.exe 4520 gwooEwMc.exe 4520 gwooEwMc.exe 4520 gwooEwMc.exe 4520 gwooEwMc.exe 4520 gwooEwMc.exe 4520 gwooEwMc.exe 4520 gwooEwMc.exe 4520 gwooEwMc.exe 4520 gwooEwMc.exe 4520 gwooEwMc.exe 4520 gwooEwMc.exe 4520 gwooEwMc.exe 4520 gwooEwMc.exe 4520 gwooEwMc.exe 4520 gwooEwMc.exe 4520 gwooEwMc.exe 4520 gwooEwMc.exe 4520 gwooEwMc.exe 4520 gwooEwMc.exe 4520 gwooEwMc.exe 4520 gwooEwMc.exe 4520 gwooEwMc.exe 4520 gwooEwMc.exe 4520 gwooEwMc.exe 4520 gwooEwMc.exe 4520 gwooEwMc.exe 4520 gwooEwMc.exe 4520 gwooEwMc.exe 4520 gwooEwMc.exe 4520 gwooEwMc.exe 4520 gwooEwMc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4560 wrote to memory of 4520 4560 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 85 PID 4560 wrote to memory of 4520 4560 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 85 PID 4560 wrote to memory of 4520 4560 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 85 PID 4560 wrote to memory of 3240 4560 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 86 PID 4560 wrote to memory of 3240 4560 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 86 PID 4560 wrote to memory of 3240 4560 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 86 PID 4560 wrote to memory of 3732 4560 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 87 PID 4560 wrote to memory of 3732 4560 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 87 PID 4560 wrote to memory of 3732 4560 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 87 PID 4560 wrote to memory of 904 4560 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 89 PID 4560 wrote to memory of 904 4560 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 89 PID 4560 wrote to memory of 904 4560 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 89 PID 4560 wrote to memory of 1232 4560 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 90 PID 4560 wrote to memory of 1232 4560 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 90 PID 4560 wrote to memory of 1232 4560 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 90 PID 4560 wrote to memory of 4824 4560 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 91 PID 4560 wrote to memory of 4824 4560 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 91 PID 4560 wrote to memory of 4824 4560 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 91 PID 4560 wrote to memory of 2356 4560 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 92 PID 4560 wrote to memory of 2356 4560 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 92 PID 4560 wrote to memory of 2356 4560 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 92 PID 3732 wrote to memory of 1612 3732 cmd.exe 97 PID 3732 wrote to memory of 1612 3732 cmd.exe 97 PID 3732 wrote to memory of 1612 3732 cmd.exe 97 PID 2356 wrote to memory of 3224 2356 cmd.exe 98 PID 2356 wrote to memory of 3224 2356 cmd.exe 98 PID 2356 wrote to memory of 3224 2356 cmd.exe 98 PID 1612 wrote to memory of 5024 1612 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 101 PID 1612 wrote to memory of 5024 1612 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 101 PID 1612 wrote to memory of 5024 1612 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 101 PID 5024 wrote to memory of 4760 5024 cmd.exe 103 PID 5024 wrote to memory of 4760 5024 cmd.exe 103 PID 5024 wrote to memory of 4760 5024 cmd.exe 103 PID 1612 wrote to memory of 4636 1612 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 104 PID 1612 wrote to memory of 4636 1612 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 104 PID 1612 wrote to memory of 4636 1612 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 104 PID 1612 wrote to memory of 1436 1612 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 105 PID 1612 wrote to memory of 1436 1612 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 105 PID 1612 wrote to memory of 1436 1612 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 105 PID 1612 wrote to memory of 1788 1612 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 106 PID 1612 wrote to memory of 1788 1612 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 106 PID 1612 wrote to memory of 1788 1612 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 106 PID 1612 wrote to memory of 2676 1612 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 108 PID 1612 wrote to memory of 2676 1612 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 108 PID 1612 wrote to memory of 2676 1612 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 108 PID 2676 wrote to memory of 1628 2676 cmd.exe 112 PID 2676 wrote to memory of 1628 2676 cmd.exe 112 PID 2676 wrote to memory of 1628 2676 cmd.exe 112 PID 4760 wrote to memory of 1172 4760 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 113 PID 4760 wrote to memory of 1172 4760 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 113 PID 4760 wrote to memory of 1172 4760 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 113 PID 1172 wrote to memory of 1700 1172 cmd.exe 115 PID 1172 wrote to memory of 1700 1172 cmd.exe 115 PID 1172 wrote to memory of 1700 1172 cmd.exe 115 PID 4760 wrote to memory of 2888 4760 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 116 PID 4760 wrote to memory of 2888 4760 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 116 PID 4760 wrote to memory of 2888 4760 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 116 PID 4760 wrote to memory of 2652 4760 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 117 PID 4760 wrote to memory of 2652 4760 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 117 PID 4760 wrote to memory of 2652 4760 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 117 PID 4760 wrote to memory of 3660 4760 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 118 PID 4760 wrote to memory of 3660 4760 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 118 PID 4760 wrote to memory of 3660 4760 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 118 PID 4760 wrote to memory of 548 4760 db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe 119
Processes
-
C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe"C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Users\Admin\lKwcEkEY\gwooEwMc.exe"C:\Users\Admin\lKwcEkEY\gwooEwMc.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:4520
-
-
C:\ProgramData\xGYksgIk\mucsYUUU.exe"C:\ProgramData\xGYksgIk\mucsYUUU.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3240
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"2⤵
- Suspicious use of WriteProcessMemory
PID:3732 -
C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exeC:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"4⤵
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exeC:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"6⤵
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exeC:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N7⤵
- Suspicious behavior: EnumeratesProcesses
PID:1700 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"8⤵PID:1868
-
C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exeC:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N9⤵
- Suspicious behavior: EnumeratesProcesses
PID:1784 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"10⤵PID:4444
-
C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exeC:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N11⤵
- Suspicious behavior: EnumeratesProcesses
PID:1388 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"12⤵PID:1988
-
C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exeC:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N13⤵
- Suspicious behavior: EnumeratesProcesses
PID:4528 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"14⤵PID:4532
-
C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exeC:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N15⤵
- Suspicious behavior: EnumeratesProcesses
PID:1196 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"16⤵PID:3228
-
C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exeC:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N17⤵
- Suspicious behavior: EnumeratesProcesses
PID:3596 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"18⤵
- System Location Discovery: System Language Discovery
PID:3940 -
C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exeC:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N19⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3796 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"20⤵PID:2840
-
C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exeC:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N21⤵
- Suspicious behavior: EnumeratesProcesses
PID:2412 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"22⤵
- System Location Discovery: System Language Discovery
PID:3768 -
C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exeC:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N23⤵
- Suspicious behavior: EnumeratesProcesses
PID:5016 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"24⤵PID:804
-
C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exeC:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N25⤵
- Suspicious behavior: EnumeratesProcesses
PID:3328 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"26⤵PID:3616
-
C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exeC:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N27⤵
- Suspicious behavior: EnumeratesProcesses
PID:2948 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"28⤵PID:4640
-
C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exeC:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N29⤵
- Suspicious behavior: EnumeratesProcesses
PID:1912 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"30⤵
- System Location Discovery: System Language Discovery
PID:3744 -
C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exeC:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N31⤵
- Suspicious behavior: EnumeratesProcesses
PID:1876 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"32⤵PID:4500
-
C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exeC:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N33⤵PID:2380
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"34⤵PID:392
-
C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exeC:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N35⤵PID:3016
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"36⤵PID:3160
-
C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exeC:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N37⤵PID:5008
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"38⤵
- System Location Discovery: System Language Discovery
PID:4756 -
C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exeC:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N39⤵PID:1036
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"40⤵PID:4916
-
C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exeC:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N41⤵PID:5056
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"42⤵PID:4368
-
C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exeC:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N43⤵PID:4568
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"44⤵PID:1532
-
C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exeC:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N45⤵PID:3272
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"46⤵PID:808
-
C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exeC:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N47⤵PID:1744
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"48⤵PID:1300
-
C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exeC:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N49⤵PID:1380
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"50⤵PID:2748
-
C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exeC:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N51⤵PID:1660
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"52⤵PID:2456
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV153⤵PID:228
-
-
C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exeC:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N53⤵PID:4296
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"54⤵
- System Location Discovery: System Language Discovery
PID:1880 -
C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exeC:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N55⤵PID:3132
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"56⤵PID:2356
-
C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exeC:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N57⤵PID:4292
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"58⤵PID:3228
-
C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exeC:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N59⤵PID:4132
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"60⤵PID:3848
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV161⤵PID:2876
-
-
C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exeC:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N61⤵PID:1716
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"62⤵PID:1608
-
C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exeC:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N63⤵PID:4756
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"64⤵
- System Location Discovery: System Language Discovery
PID:432 -
C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exeC:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N65⤵PID:1080
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"66⤵PID:624
-
C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exeC:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N67⤵PID:4380
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"68⤵PID:4772
-
C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exeC:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N69⤵PID:4368
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"70⤵PID:4504
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV171⤵PID:4572
-
-
C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exeC:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N71⤵PID:3768
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"72⤵PID:4512
-
C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exeC:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N73⤵PID:4588
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"74⤵PID:1732
-
C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exeC:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N75⤵PID:3068
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"76⤵PID:3592
-
C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exeC:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N77⤵PID:3132
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"78⤵PID:460
-
C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exeC:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N79⤵PID:668
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"80⤵PID:3052
-
C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exeC:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N81⤵
- System Location Discovery: System Language Discovery
PID:2936 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"82⤵PID:2948
-
C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exeC:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N83⤵PID:1912
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"84⤵PID:1172
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV185⤵PID:4672
-
-
C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exeC:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N85⤵PID:1784
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"86⤵PID:4572
-
C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exeC:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N87⤵PID:2200
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"88⤵PID:4588
-
C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exeC:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N89⤵PID:2004
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"90⤵PID:4864
-
C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exeC:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N91⤵PID:4852
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"92⤵PID:4604
-
C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exeC:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N93⤵PID:528
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"94⤵
- System Location Discovery: System Language Discovery
PID:460 -
C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exeC:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N95⤵PID:2056
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"96⤵PID:3492
-
C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exeC:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N97⤵PID:4444
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"98⤵PID:4640
-
C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exeC:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N99⤵PID:4764
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"100⤵PID:692
-
C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exeC:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N101⤵PID:1608
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"102⤵PID:3600
-
C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exeC:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N103⤵PID:3556
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"104⤵PID:4916
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1105⤵PID:2052
-
-
C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exeC:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N105⤵
- System Location Discovery: System Language Discovery
PID:3144 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"106⤵PID:1356
-
C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exeC:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N107⤵PID:828
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"108⤵PID:3688
-
C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exeC:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N109⤵PID:4856
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"110⤵PID:1604
-
C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exeC:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N111⤵PID:4348
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"112⤵PID:4116
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1113⤵PID:4572
-
-
C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exeC:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N113⤵PID:2584
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"114⤵PID:1592
-
C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exeC:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N115⤵PID:3716
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"116⤵PID:1364
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1117⤵PID:2012
-
-
C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exeC:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N117⤵PID:4384
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"118⤵PID:2200
-
C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exeC:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N119⤵PID:3600
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"120⤵PID:2404
-
C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N.exeC:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N121⤵PID:1536
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\db0f5b878e6eb1fdb208a1b3fa600ae21acf085e6192c77cbeb5afcaf0f671f9N"122⤵PID:852
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-