Analysis
-
max time kernel
120s -
max time network
63s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-11-2024 19:42
Static task
static1
Behavioral task
behavioral1
Sample
1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
Resource
win10v2004-20241007-en
General
-
Target
1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe
-
Size
187KB
-
MD5
165ff7a540b2338d7b848c17c9e9e9ca
-
SHA1
2b4ccc7579cd41e57cd6e19108ea7df964b6b0b9
-
SHA256
1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5
-
SHA512
225e7909b4587c2a090681de0ac870c5ad00f245f6467e51f1b99489d149fffd8e57907fceb435b31b30c4adaadb89b0e718a73cdace715369b269584bec41be
-
SSDEEP
3072:kxqO4KrRMCg2fMLAEO8NGzswbpA3fiani/dckNHqTl9EsRVKQoY:koOMCDMLANEf9iFckNK59EPY
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Renames multiple (64) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cUEgsAEU.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\Geo\Nation cUEgsAEU.exe -
Executes dropped EXE 2 IoCs
Processes:
cUEgsAEU.exeLQEYMoYU.exepid process 1868 cUEgsAEU.exe 2536 LQEYMoYU.exe -
Loads dropped DLL 20 IoCs
Processes:
1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.execUEgsAEU.exepid process 1852 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe 1852 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe 1852 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe 1852 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.execUEgsAEU.exeLQEYMoYU.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LQEYMoYU.exe = "C:\\ProgramData\\XskIEUcI\\LQEYMoYU.exe" 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\cUEgsAEU.exe = "C:\\Users\\Admin\\FCoYQYcM\\cUEgsAEU.exe" cUEgsAEU.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LQEYMoYU.exe = "C:\\ProgramData\\XskIEUcI\\LQEYMoYU.exe" LQEYMoYU.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\cUEgsAEU.exe = "C:\\Users\\Admin\\FCoYQYcM\\cUEgsAEU.exe" 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe -
Drops file in Windows directory 1 IoCs
Processes:
cUEgsAEU.exedescription ioc process File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico cUEgsAEU.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
reg.execmd.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exereg.exereg.execmd.exereg.execmd.execscript.exereg.execmd.execmd.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exereg.execmd.exereg.execscript.execmd.exereg.exereg.exereg.exereg.exereg.exereg.exereg.execscript.exereg.exereg.execmd.execmd.exereg.execmd.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.execmd.exereg.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.execscript.exereg.exereg.exereg.exereg.exereg.exereg.execscript.execscript.exereg.execscript.execscript.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exereg.execscript.exereg.execscript.exereg.execscript.exereg.execmd.execscript.execmd.execmd.exereg.exereg.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 64 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exepid process 2672 reg.exe 2428 reg.exe 2008 reg.exe 1196 reg.exe 1856 reg.exe 1460 reg.exe 2800 reg.exe 2672 reg.exe 2584 reg.exe 1712 reg.exe 1536 reg.exe 2884 reg.exe 1120 reg.exe 2748 reg.exe 2888 reg.exe 2384 reg.exe 1612 reg.exe 2616 reg.exe 2968 reg.exe 1660 reg.exe 1444 reg.exe 2776 reg.exe 2744 reg.exe 2912 reg.exe 2688 reg.exe 688 reg.exe 2932 reg.exe 2876 reg.exe 2152 reg.exe 1464 reg.exe 2636 reg.exe 1364 reg.exe 2292 reg.exe 1688 reg.exe 2884 reg.exe 1784 reg.exe 2920 reg.exe 2764 reg.exe 2768 reg.exe 1160 reg.exe 2948 reg.exe 2628 reg.exe 1588 reg.exe 2148 reg.exe 1672 reg.exe 1476 reg.exe 2148 reg.exe 2348 reg.exe 2108 reg.exe 2176 reg.exe 2692 reg.exe 2156 reg.exe 1532 reg.exe 2292 reg.exe 1536 reg.exe 2688 reg.exe 2776 reg.exe 572 reg.exe 2388 reg.exe 1540 reg.exe 1552 reg.exe 2084 reg.exe 2912 reg.exe 2432 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exepid process 1852 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe 1852 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe 2736 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe 2736 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe 928 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe 928 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe 1880 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe 1880 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe 2504 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe 2504 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe 1960 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe 1960 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe 2060 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe 2060 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe 1056 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe 1056 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe 1216 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe 1216 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe 2004 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe 2004 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe 2096 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe 2096 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe 2944 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe 2944 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe 3068 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe 3068 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe 2792 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe 2792 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe 1992 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe 1992 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe 1524 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe 1524 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe 2424 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe 2424 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe 2376 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe 2376 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe 2624 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe 2624 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe 2924 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe 2924 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe 916 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe 916 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe 1484 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe 1484 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe 2852 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe 2852 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe 320 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe 320 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe 2808 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe 2808 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe 2176 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe 2176 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe 1200 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe 1200 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe 2116 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe 2116 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe 2760 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe 2760 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe 2268 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe 2268 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe 2764 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe 2764 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe 1956 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe 1956 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
cUEgsAEU.exepid process 1868 cUEgsAEU.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
cUEgsAEU.exepid process 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe 1868 cUEgsAEU.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.execmd.execmd.exe1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.execmd.execmd.exedescription pid process target process PID 1852 wrote to memory of 1868 1852 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe cUEgsAEU.exe PID 1852 wrote to memory of 1868 1852 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe cUEgsAEU.exe PID 1852 wrote to memory of 1868 1852 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe cUEgsAEU.exe PID 1852 wrote to memory of 1868 1852 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe cUEgsAEU.exe PID 1852 wrote to memory of 2536 1852 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe LQEYMoYU.exe PID 1852 wrote to memory of 2536 1852 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe LQEYMoYU.exe PID 1852 wrote to memory of 2536 1852 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe LQEYMoYU.exe PID 1852 wrote to memory of 2536 1852 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe LQEYMoYU.exe PID 1852 wrote to memory of 2192 1852 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe cmd.exe PID 1852 wrote to memory of 2192 1852 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe cmd.exe PID 1852 wrote to memory of 2192 1852 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe cmd.exe PID 1852 wrote to memory of 2192 1852 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe cmd.exe PID 1852 wrote to memory of 2668 1852 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe reg.exe PID 1852 wrote to memory of 2668 1852 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe reg.exe PID 1852 wrote to memory of 2668 1852 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe reg.exe PID 1852 wrote to memory of 2668 1852 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe reg.exe PID 1852 wrote to memory of 2704 1852 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe reg.exe PID 1852 wrote to memory of 2704 1852 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe reg.exe PID 1852 wrote to memory of 2704 1852 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe reg.exe PID 1852 wrote to memory of 2704 1852 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe reg.exe PID 1852 wrote to memory of 2956 1852 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe reg.exe PID 1852 wrote to memory of 2956 1852 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe reg.exe PID 1852 wrote to memory of 2956 1852 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe reg.exe PID 1852 wrote to memory of 2956 1852 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe reg.exe PID 1852 wrote to memory of 2708 1852 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe cmd.exe PID 1852 wrote to memory of 2708 1852 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe cmd.exe PID 1852 wrote to memory of 2708 1852 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe cmd.exe PID 1852 wrote to memory of 2708 1852 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe cmd.exe PID 2192 wrote to memory of 2736 2192 cmd.exe 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe PID 2192 wrote to memory of 2736 2192 cmd.exe 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe PID 2192 wrote to memory of 2736 2192 cmd.exe 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe PID 2192 wrote to memory of 2736 2192 cmd.exe 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe PID 2708 wrote to memory of 2608 2708 cmd.exe cscript.exe PID 2708 wrote to memory of 2608 2708 cmd.exe cscript.exe PID 2708 wrote to memory of 2608 2708 cmd.exe cscript.exe PID 2708 wrote to memory of 2608 2708 cmd.exe cscript.exe PID 2736 wrote to memory of 2140 2736 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe cmd.exe PID 2736 wrote to memory of 2140 2736 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe cmd.exe PID 2736 wrote to memory of 2140 2736 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe cmd.exe PID 2736 wrote to memory of 2140 2736 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe cmd.exe PID 2140 wrote to memory of 928 2140 cmd.exe 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe PID 2140 wrote to memory of 928 2140 cmd.exe 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe PID 2140 wrote to memory of 928 2140 cmd.exe 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe PID 2140 wrote to memory of 928 2140 cmd.exe 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe PID 2736 wrote to memory of 2324 2736 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe reg.exe PID 2736 wrote to memory of 2324 2736 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe reg.exe PID 2736 wrote to memory of 2324 2736 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe reg.exe PID 2736 wrote to memory of 2324 2736 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe reg.exe PID 2736 wrote to memory of 2628 2736 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe reg.exe PID 2736 wrote to memory of 2628 2736 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe reg.exe PID 2736 wrote to memory of 2628 2736 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe reg.exe PID 2736 wrote to memory of 2628 2736 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe reg.exe PID 2736 wrote to memory of 2920 2736 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe reg.exe PID 2736 wrote to memory of 2920 2736 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe reg.exe PID 2736 wrote to memory of 2920 2736 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe reg.exe PID 2736 wrote to memory of 2920 2736 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe reg.exe PID 2736 wrote to memory of 1276 2736 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe cmd.exe PID 2736 wrote to memory of 1276 2736 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe cmd.exe PID 2736 wrote to memory of 1276 2736 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe cmd.exe PID 2736 wrote to memory of 1276 2736 1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe cmd.exe PID 1276 wrote to memory of 2620 1276 cmd.exe cscript.exe PID 1276 wrote to memory of 2620 1276 cmd.exe cscript.exe PID 1276 wrote to memory of 2620 1276 cmd.exe cscript.exe PID 1276 wrote to memory of 2620 1276 cmd.exe cscript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe"C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Users\Admin\FCoYQYcM\cUEgsAEU.exe"C:\Users\Admin\FCoYQYcM\cUEgsAEU.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:1868
-
-
C:\ProgramData\XskIEUcI\LQEYMoYU.exe"C:\ProgramData\XskIEUcI\LQEYMoYU.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2536
-
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"2⤵
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exeC:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba53⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exeC:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba55⤵
- Suspicious behavior: EnumeratesProcesses
PID:928 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"6⤵PID:1548
-
C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exeC:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba57⤵
- Suspicious behavior: EnumeratesProcesses
PID:1880 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"8⤵PID:1200
-
C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exeC:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba59⤵
- Suspicious behavior: EnumeratesProcesses
PID:2504 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"10⤵PID:1708
-
C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exeC:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba511⤵
- Suspicious behavior: EnumeratesProcesses
PID:1960 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"12⤵PID:324
-
C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exeC:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba513⤵
- Suspicious behavior: EnumeratesProcesses
PID:2060 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"14⤵PID:2832
-
C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exeC:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba515⤵
- Suspicious behavior: EnumeratesProcesses
PID:1056 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"16⤵PID:1940
-
C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exeC:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba517⤵
- Suspicious behavior: EnumeratesProcesses
PID:1216 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"18⤵PID:1592
-
C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exeC:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba519⤵
- Suspicious behavior: EnumeratesProcesses
PID:2004 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"20⤵PID:852
-
C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exeC:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba521⤵
- Suspicious behavior: EnumeratesProcesses
PID:2096 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"22⤵PID:1280
-
C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exeC:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba523⤵
- Suspicious behavior: EnumeratesProcesses
PID:2944 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"24⤵PID:2724
-
C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exeC:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba525⤵
- Suspicious behavior: EnumeratesProcesses
PID:3068 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"26⤵PID:1628
-
C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exeC:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba527⤵
- Suspicious behavior: EnumeratesProcesses
PID:2792 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"28⤵PID:1988
-
C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exeC:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba529⤵
- Suspicious behavior: EnumeratesProcesses
PID:1992 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"30⤵PID:1512
-
C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exeC:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba531⤵
- Suspicious behavior: EnumeratesProcesses
PID:1524 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"32⤵PID:2408
-
C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exeC:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba533⤵
- Suspicious behavior: EnumeratesProcesses
PID:2424 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"34⤵PID:2268
-
C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exeC:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba535⤵
- Suspicious behavior: EnumeratesProcesses
PID:2376 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"36⤵PID:2772
-
C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exeC:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba537⤵
- Suspicious behavior: EnumeratesProcesses
PID:2624 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"38⤵PID:608
-
C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exeC:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba539⤵
- Suspicious behavior: EnumeratesProcesses
PID:2924 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"40⤵PID:1588
-
C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exeC:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba541⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:916 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"42⤵PID:1668
-
C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exeC:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba543⤵
- Suspicious behavior: EnumeratesProcesses
PID:1484 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"44⤵PID:3008
-
C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exeC:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba545⤵
- Suspicious behavior: EnumeratesProcesses
PID:2852 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"46⤵PID:2232
-
C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exeC:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba547⤵
- Suspicious behavior: EnumeratesProcesses
PID:320 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"48⤵PID:928
-
C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exeC:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba549⤵
- Suspicious behavior: EnumeratesProcesses
PID:2808 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"50⤵PID:1060
-
C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exeC:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba551⤵
- Suspicious behavior: EnumeratesProcesses
PID:2176 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"52⤵PID:1640
-
C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exeC:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba553⤵
- Suspicious behavior: EnumeratesProcesses
PID:1200 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"54⤵PID:1436
-
C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exeC:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba555⤵
- Suspicious behavior: EnumeratesProcesses
PID:2116 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"56⤵PID:1280
-
C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exeC:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba557⤵
- Suspicious behavior: EnumeratesProcesses
PID:2760 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"58⤵PID:1648
-
C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exeC:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba559⤵
- Suspicious behavior: EnumeratesProcesses
PID:2268 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"60⤵PID:2280
-
C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exeC:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba561⤵
- Suspicious behavior: EnumeratesProcesses
PID:2764 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"62⤵
- System Location Discovery: System Language Discovery
PID:944 -
C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exeC:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba563⤵
- Suspicious behavior: EnumeratesProcesses
PID:1956 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"64⤵PID:112
-
C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exeC:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba565⤵PID:2212
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"66⤵PID:2388
-
C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exeC:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba567⤵PID:1684
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"68⤵PID:2736
-
C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exeC:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba569⤵PID:324
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"70⤵PID:1720
-
C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exeC:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba571⤵PID:2908
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"72⤵PID:1408
-
C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exeC:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba573⤵PID:2768
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"74⤵PID:2240
-
C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exeC:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba575⤵PID:1752
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"76⤵PID:3004
-
C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exeC:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba577⤵PID:1932
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"78⤵
- System Location Discovery: System Language Discovery
PID:1228 -
C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exeC:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba579⤵PID:2968
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"80⤵PID:2852
-
C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exeC:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba581⤵PID:2708
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"82⤵PID:2224
-
C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exeC:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba583⤵PID:1976
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"84⤵PID:1008
-
C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exeC:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba585⤵PID:1584
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"86⤵PID:2176
-
C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exeC:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba587⤵PID:1740
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"88⤵PID:3016
-
C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exeC:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba589⤵PID:2160
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"90⤵PID:2956
-
C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exeC:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba591⤵PID:2608
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"92⤵PID:1280
-
C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exeC:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba593⤵PID:1644
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"94⤵PID:2868
-
C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exeC:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba595⤵PID:1928
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"96⤵PID:552
-
C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exeC:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba597⤵PID:2396
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"98⤵PID:1252
-
C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exeC:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba599⤵
- System Location Discovery: System Language Discovery
PID:2812 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"100⤵PID:2748
-
C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exeC:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5101⤵PID:3008
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"102⤵PID:2272
-
C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exeC:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5103⤵PID:3052
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"104⤵PID:1328
-
C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exeC:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5105⤵PID:1800
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"106⤵PID:1956
-
C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exeC:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5107⤵PID:1012
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"108⤵PID:2760
-
C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exeC:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5109⤵
- System Location Discovery: System Language Discovery
PID:352 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"110⤵PID:2620
-
C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exeC:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5111⤵PID:2872
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"112⤵PID:3024
-
C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exeC:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5113⤵PID:2424
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"114⤵PID:2548
-
C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exeC:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5115⤵PID:444
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"116⤵PID:2128
-
C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exeC:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5117⤵PID:2952
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"118⤵PID:1628
-
C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exeC:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5119⤵PID:3012
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"120⤵PID:2200
-
C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5.exeC:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5121⤵PID:2280
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\1693c70edbe17a0347d769d47eb88715bc22dc50c2e1b1af187a39fa22c07ba5"122⤵PID:2860
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-