Analysis
-
max time kernel
17s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-01-2025 13:00
Behavioral task
behavioral1
Sample
Hackus.exe
Resource
win7-20241023-en
windows7-x64
13 signatures
150 seconds
Errors
Reason
Machine shutdown
General
-
Target
Hackus.exe
-
Size
3.0MB
-
MD5
9c663208365a83ec2b477cccb6467b48
-
SHA1
e7b1ade7745edb3728819e91e63cbc8150bef850
-
SHA256
28d86a07879646a56eb6540184ba97968909b23bcfd85e902ae868521c311e81
-
SHA512
a61c99646df0b701d1674534e7258e4714f7930f6220f93bdb15ea0c8351b8ea288c033cf388932d18986a0a5005c694933a94abb4f591b76a90867600302379
-
SSDEEP
24576:Fl66l+Tg33ypYcJ52Ymx35h0s5zQ+6fe05bdgBJrGrdqDwEHK2oJ8BoZecPKeNlb:FLlP3G5KT6W0/KJQdqsF5JcJ+l2VbbU
Malware Config
Extracted
Family
asyncrat
Botnet
Default
C2
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot7044437613:AAEXeS1SKGTrEjQ8F-7vSegWo8OLABeJY5k/sendMessage?chat_id=6052812018
Mutex
AsyncMutex_6SI8OkPnk
Attributes
-
delay
3
-
install
false
-
install_folder
%AppData%
aes.plain
Signatures
-
Asyncrat family
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 2 IoCs
resource yara_rule behavioral2/files/0x000c000000023b3f-4.dat family_stormkitty behavioral2/memory/2892-13-0x0000000000310000-0x0000000000342000-memory.dmp family_stormkitty -
Stormkitty family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral2/files/0x000c000000023b3f-4.dat family_asyncrat -
Checks computer location settings 2 TTPs 34 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation HACKUS.EXE Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation HACKUS.EXE Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation HACKUS.EXE Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation HACKUS.EXE Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation HACKUS.EXE Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation HACKUS.EXE Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation HACKUS.EXE Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation HACKUS.EXE Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation Hackus.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation HACKUS.EXE Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation HACKUS.EXE Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation HACKUS.EXE Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation HACKUS.EXE Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation HACKUS.EXE Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation HACKUS.EXE Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation HACKUS.EXE Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation HACKUS.EXE Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation HACKUS.EXE Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation HACKUS.EXE Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation HACKUS.EXE Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation HACKUS.EXE Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation HACKUS.EXE Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation HACKUS.EXE Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation HACKUS.EXE Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation HACKUS.EXE Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation HACKUS.EXE Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation HACKUS.EXE Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation HACKUS.EXE Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation HACKUS.EXE Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation HACKUS.EXE Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation HACKUS.EXE Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation HACKUS.EXE Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation HACKUS.EXE Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation HACKUS.EXE -
Executes dropped EXE 34 IoCs
pid Process 3688 LET.EXE 2892 LET.EXE 4564 LET.EXE 3972 LET.EXE 1560 LET.EXE 2156 LET.EXE 4824 LET.EXE 4576 LET.EXE 2532 LET.EXE 4800 LET.EXE 876 LET.EXE 4604 LET.EXE 1572 LET.EXE 2700 LET.EXE 3864 LET.EXE 4428 LET.EXE 1840 LET.EXE 1344 LET.EXE 3220 LET.EXE 4592 LET.EXE 3668 LET.EXE 5448 LET.EXE 5876 LET.EXE 5380 LET.EXE 2688 LET.EXE 5668 LET.EXE 5952 LET.EXE 3876 LET.EXE 4936 LET.EXE 3732 LET.EXE 5648 LET.EXE 1388 LET.EXE 3552 LET.EXE 4336 LET.EXE -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 64 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\7878fc539e5ad25c8558ad228f875da2\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini LET.EXE File created C:\Users\Admin\AppData\Local\2aaa12dad31401045ce3f346dfab13e6\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini LET.EXE File created C:\Users\Admin\AppData\Local\1fd7f40f6ebafea5404c694d95e72e78\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini LET.EXE File created C:\Users\Admin\AppData\Local\79fa1c80030de49905152229c9957af4\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini LET.EXE File created C:\Users\Admin\AppData\Local\b24b869f22511b2e4bce6885c6b0aa77\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini LET.EXE File created C:\Users\Admin\AppData\Local\05167adab5319349663c75c06c9aa116\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini LET.EXE File created C:\Users\Admin\AppData\Local\2aaa12dad31401045ce3f346dfab13e6\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini LET.EXE File created C:\Users\Admin\AppData\Local\79fa1c80030de49905152229c9957af4\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini LET.EXE File created C:\Users\Admin\AppData\Local\1fd7f40f6ebafea5404c694d95e72e78\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini LET.EXE File created C:\Users\Admin\AppData\Local\1fd7f40f6ebafea5404c694d95e72e78\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini LET.EXE File opened for modification C:\Users\Admin\AppData\Local\2aaa12dad31401045ce3f346dfab13e6\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini LET.EXE File created C:\Users\Admin\AppData\Local\b24b869f22511b2e4bce6885c6b0aa77\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini LET.EXE File created C:\Users\Admin\AppData\Local\2aaa12dad31401045ce3f346dfab13e6\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini LET.EXE File created C:\Users\Admin\AppData\Local\79fa1c80030de49905152229c9957af4\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini LET.EXE File created C:\Users\Admin\AppData\Local\79fa1c80030de49905152229c9957af4\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini LET.EXE File created C:\Users\Admin\AppData\Local\05167adab5319349663c75c06c9aa116\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini LET.EXE File created C:\Users\Admin\AppData\Local\1fd7f40f6ebafea5404c694d95e72e78\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini LET.EXE File created C:\Users\Admin\AppData\Local\1fd7f40f6ebafea5404c694d95e72e78\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini LET.EXE File created C:\Users\Admin\AppData\Local\05167adab5319349663c75c06c9aa116\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini LET.EXE File created C:\Users\Admin\AppData\Local\05167adab5319349663c75c06c9aa116\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini LET.EXE File created C:\Users\Admin\AppData\Local\79fa1c80030de49905152229c9957af4\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini LET.EXE File created C:\Users\Admin\AppData\Local\7878fc539e5ad25c8558ad228f875da2\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini LET.EXE File opened for modification C:\Users\Admin\AppData\Local\1fd7f40f6ebafea5404c694d95e72e78\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini LET.EXE File created C:\Users\Admin\AppData\Local\79fa1c80030de49905152229c9957af4\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini LET.EXE File opened for modification C:\Users\Admin\AppData\Local\05167adab5319349663c75c06c9aa116\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini LET.EXE File opened for modification C:\Users\Admin\AppData\Local\1fd7f40f6ebafea5404c694d95e72e78\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini LET.EXE File created C:\Users\Admin\AppData\Local\1fd7f40f6ebafea5404c694d95e72e78\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini LET.EXE File created C:\Users\Admin\AppData\Local\79fa1c80030de49905152229c9957af4\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini LET.EXE File created C:\Users\Admin\AppData\Local\1fd7f40f6ebafea5404c694d95e72e78\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini LET.EXE File created C:\Users\Admin\AppData\Local\79fa1c80030de49905152229c9957af4\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini LET.EXE File created C:\Users\Admin\AppData\Local\79fa1c80030de49905152229c9957af4\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini LET.EXE File created C:\Users\Admin\AppData\Local\1fd7f40f6ebafea5404c694d95e72e78\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini LET.EXE File created C:\Users\Admin\AppData\Local\2aaa12dad31401045ce3f346dfab13e6\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini LET.EXE File created C:\Users\Admin\AppData\Local\2aaa12dad31401045ce3f346dfab13e6\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini LET.EXE File created C:\Users\Admin\AppData\Local\2aaa12dad31401045ce3f346dfab13e6\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini LET.EXE File created C:\Users\Admin\AppData\Local\1fd7f40f6ebafea5404c694d95e72e78\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini LET.EXE File created C:\Users\Admin\AppData\Local\79fa1c80030de49905152229c9957af4\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini LET.EXE File created C:\Users\Admin\AppData\Local\79fa1c80030de49905152229c9957af4\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini LET.EXE File opened for modification C:\Users\Admin\AppData\Local\05167adab5319349663c75c06c9aa116\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini LET.EXE File opened for modification C:\Users\Admin\AppData\Local\2aaa12dad31401045ce3f346dfab13e6\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini LET.EXE File opened for modification C:\Users\Admin\AppData\Local\18937e0d5437c8b0807e3d4db6a74e51\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini LET.EXE File created C:\Users\Admin\AppData\Local\2aaa12dad31401045ce3f346dfab13e6\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini LET.EXE File created C:\Users\Admin\AppData\Local\79fa1c80030de49905152229c9957af4\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini LET.EXE File created C:\Users\Admin\AppData\Local\b24b869f22511b2e4bce6885c6b0aa77\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini LET.EXE File created C:\Users\Admin\AppData\Local\b24b869f22511b2e4bce6885c6b0aa77\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini LET.EXE File opened for modification C:\Users\Admin\AppData\Local\79fa1c80030de49905152229c9957af4\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini LET.EXE File created C:\Users\Admin\AppData\Local\79fa1c80030de49905152229c9957af4\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini LET.EXE File created C:\Users\Admin\AppData\Local\1fd7f40f6ebafea5404c694d95e72e78\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini LET.EXE File created C:\Users\Admin\AppData\Local\1fd7f40f6ebafea5404c694d95e72e78\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini LET.EXE File created C:\Users\Admin\AppData\Local\1fd7f40f6ebafea5404c694d95e72e78\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini LET.EXE File created C:\Users\Admin\AppData\Local\2aaa12dad31401045ce3f346dfab13e6\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini LET.EXE File created C:\Users\Admin\AppData\Local\05167adab5319349663c75c06c9aa116\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini LET.EXE File created C:\Users\Admin\AppData\Local\2aaa12dad31401045ce3f346dfab13e6\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini LET.EXE File created C:\Users\Admin\AppData\Local\1fd7f40f6ebafea5404c694d95e72e78\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini LET.EXE File created C:\Users\Admin\AppData\Local\79fa1c80030de49905152229c9957af4\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini LET.EXE File opened for modification C:\Users\Admin\AppData\Local\05167adab5319349663c75c06c9aa116\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini LET.EXE File created C:\Users\Admin\AppData\Local\05167adab5319349663c75c06c9aa116\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini LET.EXE File opened for modification C:\Users\Admin\AppData\Local\05167adab5319349663c75c06c9aa116\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini LET.EXE File created C:\Users\Admin\AppData\Local\1fd7f40f6ebafea5404c694d95e72e78\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini LET.EXE File created C:\Users\Admin\AppData\Local\b24b869f22511b2e4bce6885c6b0aa77\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini LET.EXE File opened for modification C:\Users\Admin\AppData\Local\1fd7f40f6ebafea5404c694d95e72e78\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini LET.EXE File created C:\Users\Admin\AppData\Local\18937e0d5437c8b0807e3d4db6a74e51\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini LET.EXE File created C:\Users\Admin\AppData\Local\79fa1c80030de49905152229c9957af4\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini LET.EXE File created C:\Users\Admin\AppData\Local\7878fc539e5ad25c8558ad228f875da2\Admin@YQRLKYON_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini LET.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 6 IoCs
pid pid_target Process procid_target 1872 10296 WerFault.exe 415 11480 7948 WerFault.exe 250 5960 8716 WerFault.exe 402 11844 8428 WerFault.exe 420 6160 11036 WerFault.exe 428 3776 5376 WerFault.exe 158 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LET.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LET.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LET.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HACKUS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LET.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LET.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HACKUS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HACKUS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LET.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LET.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LET.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LET.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LET.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LET.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HACKUS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HACKUS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LET.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LET.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HACKUS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HACKUS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HACKUS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LET.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LET.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LET.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HACKUS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HACKUS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LET.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HACKUS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LET.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LET.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HACKUS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HACKUS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LET.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HACKUS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hackus.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LET.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LET.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LET.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HACKUS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HACKUS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LET.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LET.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HACKUS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HACKUS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HACKUS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LET.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LET.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HACKUS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HACKUS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HACKUS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LET.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HACKUS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HACKUS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LET.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LET.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HACKUS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LET.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HACKUS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LET.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HACKUS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HACKUS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HACKUS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HACKUS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HACKUS.EXE -
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 18 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
pid Process 6936 netsh.exe 7608 cmd.exe 9108 netsh.exe 6240 netsh.exe 7548 cmd.exe 6556 cmd.exe 6680 cmd.exe 6036 cmd.exe 6180 netsh.exe 7688 netsh.exe 7560 netsh.exe 7732 netsh.exe 7504 netsh.exe 7644 cmd.exe 6308 cmd.exe 644 cmd.exe 7716 cmd.exe 8692 netsh.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 38 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 8676 schtasks.exe 9508 schtasks.exe 12080 schtasks.exe 9376 schtasks.exe 9360 schtasks.exe 6504 schtasks.exe 6824 schtasks.exe 6300 schtasks.exe 5712 schtasks.exe 10348 schtasks.exe 3968 schtasks.exe 10284 schtasks.exe 11616 schtasks.exe 11336 schtasks.exe 10928 schtasks.exe 7936 schtasks.exe 3672 schtasks.exe 10288 schtasks.exe 184 schtasks.exe 8104 schtasks.exe 6232 schtasks.exe 11624 schtasks.exe 8332 schtasks.exe 2892 schtasks.exe 8132 schtasks.exe 3864 schtasks.exe 6932 schtasks.exe 6228 schtasks.exe 6712 schtasks.exe 10108 schtasks.exe 6808 schtasks.exe 6132 schtasks.exe 11308 schtasks.exe 10948 schtasks.exe 9932 schtasks.exe 10708 schtasks.exe 5280 schtasks.exe 8892 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 54 IoCs
pid Process 1560 LET.EXE 1560 LET.EXE 3972 LET.EXE 3972 LET.EXE 3688 LET.EXE 3688 LET.EXE 1560 LET.EXE 3972 LET.EXE 3688 LET.EXE 4564 LET.EXE 4564 LET.EXE 2892 LET.EXE 4564 LET.EXE 2892 LET.EXE 2892 LET.EXE 2156 LET.EXE 2156 LET.EXE 2156 LET.EXE 1572 LET.EXE 1572 LET.EXE 1572 LET.EXE 2532 LET.EXE 2532 LET.EXE 2532 LET.EXE 4824 LET.EXE 4824 LET.EXE 4604 LET.EXE 4604 LET.EXE 4824 LET.EXE 4604 LET.EXE 4576 LET.EXE 4576 LET.EXE 4576 LET.EXE 4800 LET.EXE 4800 LET.EXE 4800 LET.EXE 876 LET.EXE 876 LET.EXE 876 LET.EXE 3864 LET.EXE 3864 LET.EXE 3864 LET.EXE 2700 LET.EXE 2700 LET.EXE 2700 LET.EXE 4428 LET.EXE 4428 LET.EXE 4428 LET.EXE 1840 LET.EXE 1840 LET.EXE 1840 LET.EXE 1344 LET.EXE 1344 LET.EXE 1344 LET.EXE -
Suspicious use of AdjustPrivilegeToken 18 IoCs
description pid Process Token: SeDebugPrivilege 2892 LET.EXE Token: SeDebugPrivilege 3688 LET.EXE Token: SeDebugPrivilege 4564 LET.EXE Token: SeDebugPrivilege 3972 LET.EXE Token: SeDebugPrivilege 1560 LET.EXE Token: SeDebugPrivilege 2156 LET.EXE Token: SeDebugPrivilege 1572 LET.EXE Token: SeDebugPrivilege 4824 LET.EXE Token: SeDebugPrivilege 2532 LET.EXE Token: SeDebugPrivilege 4800 LET.EXE Token: SeDebugPrivilege 4604 LET.EXE Token: SeDebugPrivilege 4576 LET.EXE Token: SeDebugPrivilege 876 LET.EXE Token: SeDebugPrivilege 3864 LET.EXE Token: SeDebugPrivilege 2700 LET.EXE Token: SeDebugPrivilege 4428 LET.EXE Token: SeDebugPrivilege 1840 LET.EXE Token: SeDebugPrivilege 1344 LET.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3720 wrote to memory of 4572 3720 Hackus.exe 82 PID 3720 wrote to memory of 4572 3720 Hackus.exe 82 PID 3720 wrote to memory of 4572 3720 Hackus.exe 82 PID 3720 wrote to memory of 3688 3720 Hackus.exe 83 PID 3720 wrote to memory of 3688 3720 Hackus.exe 83 PID 3720 wrote to memory of 3688 3720 Hackus.exe 83 PID 4572 wrote to memory of 4580 4572 HACKUS.EXE 84 PID 4572 wrote to memory of 4580 4572 HACKUS.EXE 84 PID 4572 wrote to memory of 4580 4572 HACKUS.EXE 84 PID 4572 wrote to memory of 2892 4572 HACKUS.EXE 85 PID 4572 wrote to memory of 2892 4572 HACKUS.EXE 85 PID 4572 wrote to memory of 2892 4572 HACKUS.EXE 85 PID 4580 wrote to memory of 3060 4580 HACKUS.EXE 86 PID 4580 wrote to memory of 3060 4580 HACKUS.EXE 86 PID 4580 wrote to memory of 3060 4580 HACKUS.EXE 86 PID 4580 wrote to memory of 4564 4580 HACKUS.EXE 87 PID 4580 wrote to memory of 4564 4580 HACKUS.EXE 87 PID 4580 wrote to memory of 4564 4580 HACKUS.EXE 87 PID 3060 wrote to memory of 348 3060 HACKUS.EXE 88 PID 3060 wrote to memory of 348 3060 HACKUS.EXE 88 PID 3060 wrote to memory of 348 3060 HACKUS.EXE 88 PID 3060 wrote to memory of 3972 3060 HACKUS.EXE 89 PID 3060 wrote to memory of 3972 3060 HACKUS.EXE 89 PID 3060 wrote to memory of 3972 3060 HACKUS.EXE 89 PID 348 wrote to memory of 4296 348 HACKUS.EXE 91 PID 348 wrote to memory of 4296 348 HACKUS.EXE 91 PID 348 wrote to memory of 4296 348 HACKUS.EXE 91 PID 348 wrote to memory of 1560 348 HACKUS.EXE 92 PID 348 wrote to memory of 1560 348 HACKUS.EXE 92 PID 348 wrote to memory of 1560 348 HACKUS.EXE 92 PID 4296 wrote to memory of 4900 4296 HACKUS.EXE 93 PID 4296 wrote to memory of 4900 4296 HACKUS.EXE 93 PID 4296 wrote to memory of 4900 4296 HACKUS.EXE 93 PID 4296 wrote to memory of 2156 4296 HACKUS.EXE 94 PID 4296 wrote to memory of 2156 4296 HACKUS.EXE 94 PID 4296 wrote to memory of 2156 4296 HACKUS.EXE 94 PID 4900 wrote to memory of 1212 4900 HACKUS.EXE 95 PID 4900 wrote to memory of 1212 4900 HACKUS.EXE 95 PID 4900 wrote to memory of 1212 4900 HACKUS.EXE 95 PID 4900 wrote to memory of 4824 4900 HACKUS.EXE 96 PID 4900 wrote to memory of 4824 4900 HACKUS.EXE 96 PID 4900 wrote to memory of 4824 4900 HACKUS.EXE 96 PID 1212 wrote to memory of 3392 1212 HACKUS.EXE 97 PID 1212 wrote to memory of 3392 1212 HACKUS.EXE 97 PID 1212 wrote to memory of 3392 1212 HACKUS.EXE 97 PID 1212 wrote to memory of 4576 1212 HACKUS.EXE 98 PID 1212 wrote to memory of 4576 1212 HACKUS.EXE 98 PID 1212 wrote to memory of 4576 1212 HACKUS.EXE 98 PID 3392 wrote to memory of 2308 3392 HACKUS.EXE 99 PID 3392 wrote to memory of 2308 3392 HACKUS.EXE 99 PID 3392 wrote to memory of 2308 3392 HACKUS.EXE 99 PID 3392 wrote to memory of 2532 3392 HACKUS.EXE 100 PID 3392 wrote to memory of 2532 3392 HACKUS.EXE 100 PID 3392 wrote to memory of 2532 3392 HACKUS.EXE 100 PID 2308 wrote to memory of 1320 2308 HACKUS.EXE 101 PID 2308 wrote to memory of 1320 2308 HACKUS.EXE 101 PID 2308 wrote to memory of 1320 2308 HACKUS.EXE 101 PID 2308 wrote to memory of 4800 2308 HACKUS.EXE 102 PID 2308 wrote to memory of 4800 2308 HACKUS.EXE 102 PID 2308 wrote to memory of 4800 2308 HACKUS.EXE 102 PID 1320 wrote to memory of 3468 1320 HACKUS.EXE 103 PID 1320 wrote to memory of 3468 1320 HACKUS.EXE 103 PID 1320 wrote to memory of 3468 1320 HACKUS.EXE 103 PID 1320 wrote to memory of 876 1320 HACKUS.EXE 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\Hackus.exe"C:\Users\Admin\AppData\Local\Temp\Hackus.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3720 -
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"3⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"5⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:348 -
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"6⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"7⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"8⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"9⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3392 -
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"10⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"11⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"12⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3468 -
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"13⤵
- Checks computer location settings
PID:648 -
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"14⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4236 -
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"15⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2108 -
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"16⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4188 -
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"17⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4872 -
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"18⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3196 -
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"19⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:2456 -
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"20⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:212 -
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"21⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4908 -
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"22⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1956 -
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"23⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1960 -
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"24⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5868 -
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"25⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:520 -
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"26⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4188 -
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"27⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5652 -
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"28⤵
- Checks computer location settings
PID:5700 -
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"29⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5240 -
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"30⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5568 -
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"31⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5344 -
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"32⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5624 -
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"33⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5936 -
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"34⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:468 -
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"35⤵PID:1948
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"36⤵PID:5208
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"37⤵PID:1068
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"38⤵PID:3316
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"39⤵PID:2176
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"40⤵PID:6016
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"41⤵PID:3968
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"42⤵PID:3316
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"43⤵PID:348
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"44⤵PID:852
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"45⤵PID:4424
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"46⤵PID:2140
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"47⤵PID:5500
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"48⤵PID:5368
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"49⤵PID:6372
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"50⤵PID:6736
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"51⤵PID:7052
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"52⤵PID:6256
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"53⤵PID:6812
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"54⤵PID:5612
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"55⤵PID:6756
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"56⤵PID:6160
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"57⤵PID:6580
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"58⤵PID:660
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"59⤵PID:4232
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"60⤵PID:7224
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"61⤵PID:7396
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"62⤵PID:7796
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"63⤵PID:6944
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"64⤵PID:6544
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"65⤵PID:7864
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"66⤵PID:6220
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"67⤵PID:5924
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"68⤵PID:6560
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"69⤵PID:7940
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"70⤵PID:6624
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"71⤵PID:7608
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"72⤵PID:6556
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"73⤵PID:7788
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"74⤵PID:6276
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"75⤵PID:644
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"76⤵PID:7548
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"77⤵PID:2416
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"78⤵PID:8088
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"79⤵PID:6688
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"80⤵PID:8440
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"81⤵PID:9100
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"82⤵PID:8308
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"83⤵PID:8868
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"84⤵PID:7308
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"85⤵PID:6916
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"86⤵PID:8240
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"87⤵PID:8280
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"88⤵PID:8644
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"89⤵PID:6548
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"90⤵PID:8636
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"91⤵PID:8312
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"92⤵PID:8844
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"93⤵PID:8736
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"94⤵PID:7596
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"95⤵PID:5360
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"96⤵PID:8952
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"97⤵PID:8528
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"98⤵PID:5984
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"99⤵PID:6768
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"100⤵PID:9684
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"101⤵PID:9812
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"102⤵PID:9948
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"103⤵PID:9292
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"104⤵PID:8932
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"105⤵PID:10184
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"106⤵PID:10024
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"107⤵PID:9684
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"108⤵PID:9320
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"109⤵PID:10084
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"110⤵PID:10204
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"111⤵PID:9612
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"112⤵PID:10032
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"113⤵PID:9424
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"114⤵PID:8948
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"115⤵PID:9656
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"116⤵PID:6052
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"117⤵PID:4040
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"118⤵PID:1912
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"119⤵PID:9712
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"120⤵PID:3140
-
C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"C:\Users\Admin\AppData\Local\Temp\HACKUS.EXE"121⤵PID:9760
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-