Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20250610-en -
resource tags
arch:x64arch:x86image:win10v2004-20250610-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2025, 17:24
Static task
static1
General
-
Target
77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe
-
Size
4.3MB
-
MD5
204698a57bfac24836e453a33d741466
-
SHA1
29f3644735146f554f72b22582fa8a8fcc5759f8
-
SHA256
77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5
-
SHA512
096495b6bcb1107c8e8470e83d86ce9e81c40632c81fa191c173ed68133cfd6821e2a0878c199084914be79f4f5e07603652cd92d27ffd0f31a2e8be7c6c66bf
-
SSDEEP
98304:iLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLo:0jJC
Malware Config
Signatures
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe -
Executes dropped EXE 64 IoCs
pid Process 1568 Logo1_.exe 1576 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 4736 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 3552 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 1956 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 1360 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 3388 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 5220 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 4404 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 4548 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 2604 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 704 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 5376 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 4092 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 3768 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 4976 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 4964 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 2768 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 2720 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 1796 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 1612 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 1464 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 3380 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 5388 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 6076 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 4240 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 2720 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 3924 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 2928 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 6100 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 2712 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 2460 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 4156 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 1916 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 1332 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 2260 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 872 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 5840 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 4600 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 3860 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 1992 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 1404 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 5132 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 1028 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 4072 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 5376 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 1260 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 732 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 2212 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 980 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 4944 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 3704 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 1772 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 4584 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 540 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 3844 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 1928 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 6100 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 2712 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 2460 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 4084 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 528 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 1332 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 2260 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\fr-ma\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Internet Explorer\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\Install\{02C940F5-79D4-4B0D-9F60-3476E3E73CC9}\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\pa\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ko-kr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\EBWebView\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\root\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-ae\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\hr-hr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\_desktop.ini Logo1_.exe File created C:\Program Files\Reference Assemblies\Microsoft\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sl-sl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\pt-br\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-cn\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\sv-se\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\ResiliencyLinks\WidevineCdm\_platform_specific\win_x64\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\edge_BITS_4560_31636808\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\pa\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\eu-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\nl-nl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\sv-se\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sv-se\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sl-si\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-il\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-ma\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ar-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\root\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\root\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ro-ro\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\ja-jp\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ja-jp\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\EBWebView\x86\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\WidevineCdm\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\Diagnostics\Simple\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Media Player\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\Simple\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-sl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\es-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\images\themeless\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fr-fr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\da-dk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\_desktop.ini Logo1_.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\_desktop.ini Logo1_.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\Logo1_.exe 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe File created C:\Windows\Logo1_.exe 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe File created C:\Windows\Logo1_.exe 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe File created C:\Windows\Logo1_.exe 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe File created C:\Windows\Logo1_.exe 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe File created C:\Windows\Logo1_.exe 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe File created C:\Windows\Logo1_.exe 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe File created C:\Windows\Logo1_.exe 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe File created C:\Windows\Logo1_.exe 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe File created C:\Windows\Logo1_.exe 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe File created C:\Windows\Logo1_.exe 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe File created C:\Windows\Logo1_.exe 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe File created C:\Windows\Logo1_.exe 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe File created C:\Windows\Logo1_.exe 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe File created C:\Windows\Logo1_.exe 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe File created C:\Windows\Logo1_.exe 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe File created C:\Windows\Logo1_.exe 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe File created C:\Windows\Logo1_.exe 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe File created C:\Windows\Logo1_.exe 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe File created C:\Windows\Logo1_.exe 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe File created C:\Windows\Logo1_.exe 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe File created C:\Windows\Logo1_.exe 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe File created C:\Windows\Logo1_.exe 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe File created C:\Windows\Logo1_.exe 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe File created C:\Windows\Logo1_.exe 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe File created C:\Windows\Logo1_.exe 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe File created C:\Windows\Logo1_.exe 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe File created C:\Windows\Logo1_.exe 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe File created C:\Windows\Logo1_.exe 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe File created C:\Windows\Logo1_.exe 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe File created C:\Windows\Logo1_.exe 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe File created C:\Windows\Logo1_.exe 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe File created C:\Windows\Logo1_.exe 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe File created C:\Windows\Logo1_.exe 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe File created C:\Windows\Logo1_.exe 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe File created C:\Windows\Logo1_.exe 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe File created C:\Windows\Logo1_.exe 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe File created C:\Windows\Logo1_.exe 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe File created C:\Windows\Logo1_.exe 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe File created C:\Windows\Logo1_.exe 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe File created C:\Windows\Logo1_.exe 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe File created C:\Windows\Logo1_.exe 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe File created C:\Windows\Logo1_.exe 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe File created C:\Windows\Logo1_.exe 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe File created C:\Windows\rundl132.exe 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe File created C:\Windows\Logo1_.exe 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe File created C:\Windows\Logo1_.exe 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe File created C:\Windows\Logo1_.exe 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe File created C:\Windows\Logo1_.exe 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe File created C:\Windows\Logo1_.exe 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe File created C:\Windows\Logo1_.exe 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe File created C:\Windows\Logo1_.exe 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe File created C:\Windows\Logo1_.exe 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe File created C:\Windows\Logo1_.exe 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe File created C:\Windows\Logo1_.exe 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe File created C:\Windows\Logo1_.exe 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe File created C:\Windows\Logo1_.exe 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe File created C:\Windows\Logo1_.exe 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe File created C:\Windows\Logo1_.exe 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe File created C:\Windows\Logo1_.exe 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe File created C:\Windows\Logo1_.exe 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe File created C:\Windows\Logo1_.exe 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe File created C:\Windows\Logo1_.exe 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe File created C:\Windows\Logo1_.exe 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 62 IoCs
pid Process 6076 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 6076 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 6076 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 6076 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 6076 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 6076 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 6076 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 6076 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 6076 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 6076 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 6076 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 6076 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 6076 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 6076 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 6076 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 6076 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 6076 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 6076 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 1568 Logo1_.exe 1568 Logo1_.exe 1568 Logo1_.exe 1568 Logo1_.exe 1568 Logo1_.exe 1568 Logo1_.exe 1568 Logo1_.exe 1568 Logo1_.exe 1568 Logo1_.exe 1568 Logo1_.exe 1568 Logo1_.exe 1568 Logo1_.exe 1568 Logo1_.exe 1568 Logo1_.exe 1568 Logo1_.exe 1568 Logo1_.exe 1568 Logo1_.exe 1568 Logo1_.exe 1568 Logo1_.exe 1568 Logo1_.exe 1568 Logo1_.exe 1568 Logo1_.exe 1568 Logo1_.exe 1568 Logo1_.exe 1568 Logo1_.exe 1568 Logo1_.exe 1568 Logo1_.exe 1568 Logo1_.exe 1568 Logo1_.exe 1568 Logo1_.exe 1568 Logo1_.exe 1568 Logo1_.exe 1568 Logo1_.exe 1568 Logo1_.exe 1568 Logo1_.exe 1568 Logo1_.exe 1568 Logo1_.exe 1568 Logo1_.exe 1568 Logo1_.exe 1568 Logo1_.exe 1568 Logo1_.exe 1568 Logo1_.exe 1568 Logo1_.exe 1568 Logo1_.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 6076 wrote to memory of 1744 6076 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 86 PID 6076 wrote to memory of 1744 6076 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 86 PID 6076 wrote to memory of 1744 6076 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 86 PID 6076 wrote to memory of 1568 6076 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 87 PID 6076 wrote to memory of 1568 6076 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 87 PID 6076 wrote to memory of 1568 6076 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 87 PID 1568 wrote to memory of 5388 1568 Logo1_.exe 89 PID 1568 wrote to memory of 5388 1568 Logo1_.exe 89 PID 1568 wrote to memory of 5388 1568 Logo1_.exe 89 PID 5388 wrote to memory of 3852 5388 net.exe 91 PID 5388 wrote to memory of 3852 5388 net.exe 91 PID 5388 wrote to memory of 3852 5388 net.exe 91 PID 1744 wrote to memory of 1576 1744 cmd.exe 92 PID 1744 wrote to memory of 1576 1744 cmd.exe 92 PID 1744 wrote to memory of 1576 1744 cmd.exe 92 PID 1576 wrote to memory of 4532 1576 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 93 PID 1576 wrote to memory of 4532 1576 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 93 PID 1576 wrote to memory of 4532 1576 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 93 PID 1568 wrote to memory of 3312 1568 Logo1_.exe 55 PID 1568 wrote to memory of 3312 1568 Logo1_.exe 55 PID 4532 wrote to memory of 4736 4532 cmd.exe 98 PID 4532 wrote to memory of 4736 4532 cmd.exe 98 PID 4532 wrote to memory of 4736 4532 cmd.exe 98 PID 4736 wrote to memory of 4720 4736 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 99 PID 4736 wrote to memory of 4720 4736 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 99 PID 4736 wrote to memory of 4720 4736 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 99 PID 4720 wrote to memory of 3552 4720 cmd.exe 106 PID 4720 wrote to memory of 3552 4720 cmd.exe 106 PID 4720 wrote to memory of 3552 4720 cmd.exe 106 PID 3552 wrote to memory of 4264 3552 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 107 PID 3552 wrote to memory of 4264 3552 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 107 PID 3552 wrote to memory of 4264 3552 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 107 PID 4264 wrote to memory of 1956 4264 cmd.exe 111 PID 4264 wrote to memory of 1956 4264 cmd.exe 111 PID 4264 wrote to memory of 1956 4264 cmd.exe 111 PID 1956 wrote to memory of 1780 1956 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 155 PID 1956 wrote to memory of 1780 1956 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 155 PID 1956 wrote to memory of 1780 1956 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 155 PID 1780 wrote to memory of 1360 1780 cmd.exe 114 PID 1780 wrote to memory of 1360 1780 cmd.exe 114 PID 1780 wrote to memory of 1360 1780 cmd.exe 114 PID 1360 wrote to memory of 1628 1360 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 115 PID 1360 wrote to memory of 1628 1360 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 115 PID 1360 wrote to memory of 1628 1360 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 115 PID 1628 wrote to memory of 3388 1628 cmd.exe 118 PID 1628 wrote to memory of 3388 1628 cmd.exe 118 PID 1628 wrote to memory of 3388 1628 cmd.exe 118 PID 3388 wrote to memory of 4296 3388 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 119 PID 3388 wrote to memory of 4296 3388 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 119 PID 3388 wrote to memory of 4296 3388 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 119 PID 4296 wrote to memory of 5220 4296 cmd.exe 121 PID 4296 wrote to memory of 5220 4296 cmd.exe 121 PID 4296 wrote to memory of 5220 4296 cmd.exe 121 PID 5220 wrote to memory of 3032 5220 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 122 PID 5220 wrote to memory of 3032 5220 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 122 PID 5220 wrote to memory of 3032 5220 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 122 PID 3032 wrote to memory of 4404 3032 cmd.exe 124 PID 3032 wrote to memory of 4404 3032 cmd.exe 124 PID 3032 wrote to memory of 4404 3032 cmd.exe 124 PID 4404 wrote to memory of 1692 4404 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 125 PID 4404 wrote to memory of 1692 4404 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 125 PID 4404 wrote to memory of 1692 4404 77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe 125 PID 1692 wrote to memory of 4548 1692 cmd.exe 129 PID 1692 wrote to memory of 4548 1692 cmd.exe 129
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3312
-
C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:6076 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9470.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a952B.bat5⤵
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9C11.bat7⤵
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"8⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3552 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA2F7.bat9⤵
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA8C3.bat11⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"12⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aAD57.bat13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3388 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB229.bat15⤵
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"16⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5220 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB630.bat17⤵
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBA09.bat19⤵
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"20⤵
- Executes dropped EXE
PID:4548 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBE4F.bat21⤵PID:2576
-
C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2604 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC1AA.bat23⤵
- System Location Discovery: System Language Discovery
PID:5684 -
C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"24⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:704 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC5B1.bat25⤵
- System Location Discovery: System Language Discovery
PID:2224 -
C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"26⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5376 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC861.bat27⤵PID:5356
-
C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4092 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCAD2.bat29⤵PID:400
-
C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"30⤵
- Executes dropped EXE
PID:3768 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCCF5.bat31⤵
- System Location Discovery: System Language Discovery
PID:5720 -
C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"32⤵
- Executes dropped EXE
PID:4976 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCF08.bat33⤵
- System Location Discovery: System Language Discovery
PID:4032 -
C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4964 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD1B7.bat35⤵PID:2468
-
C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"36⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2768 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD438.bat37⤵PID:3900
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV138⤵PID:1780
-
-
C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"38⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2720 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD68A.bat39⤵PID:3056
-
C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"40⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1796 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD92A.bat41⤵PID:3244
-
C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"42⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aDBBA.bat43⤵PID:4556
-
C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1464 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aDD9E.bat45⤵
- System Location Discovery: System Language Discovery
PID:2092 -
C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"46⤵
- Executes dropped EXE
PID:3380 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aDE89.bat47⤵PID:5008
-
C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"48⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5388 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aDFD1.bat49⤵PID:2404
-
C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6076 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE0BB.bat51⤵
- System Location Discovery: System Language Discovery
PID:548 -
C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"52⤵
- Executes dropped EXE
PID:4240 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE167.bat53⤵PID:1608
-
C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"54⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2720 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE203.bat55⤵PID:372
-
C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"56⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3924 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE280.bat57⤵PID:1520
-
C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"58⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE32C.bat59⤵PID:1592
-
C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"60⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:6100 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE3C8.bat61⤵
- System Location Discovery: System Language Discovery
PID:5764 -
C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"62⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE445.bat63⤵PID:5888
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV164⤵PID:1464
-
-
C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"64⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE4C2.bat65⤵
- System Location Discovery: System Language Discovery
PID:2120 -
C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"66⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4156 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE510.bat67⤵PID:5892
-
C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"68⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1916 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE56E.bat69⤵PID:3792
-
C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"70⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1332 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE5FB.bat71⤵PID:2504
-
C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"72⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2260 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE668.bat73⤵PID:4576
-
C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"74⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:872 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE6E5.bat75⤵
- System Location Discovery: System Language Discovery
PID:5464 -
C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"76⤵
- Executes dropped EXE
PID:5840 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE743.bat77⤵PID:3412
-
C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"78⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4600 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE7D0.bat79⤵PID:932
-
C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"80⤵
- Executes dropped EXE
PID:3860 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE86C.bat81⤵PID:4548
-
C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"82⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1992 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE8E9.bat83⤵PID:1076
-
C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"84⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1404 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE985.bat85⤵PID:2296
-
C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"86⤵
- Executes dropped EXE
PID:5132 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE9F2.bat87⤵PID:2044
-
C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"88⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1028 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aEA60.bat89⤵
- System Location Discovery: System Language Discovery
PID:5320 -
C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"90⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4072 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aEAEC.bat91⤵
- System Location Discovery: System Language Discovery
PID:3484 -
C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"92⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5376 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aEB69.bat93⤵PID:400
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV194⤵PID:3768
-
-
C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"94⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1260 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aEBF6.bat95⤵PID:224
-
C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"96⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:732 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aEC63.bat97⤵PID:3016
-
C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"98⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2212 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aED00.bat99⤵PID:4848
-
C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"100⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:980 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aED9C.bat101⤵PID:2956
-
C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"102⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4944 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aEE09.bat103⤵PID:3264
-
C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"104⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3704 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aEE67.bat105⤵PID:3836
-
C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"106⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aEEC5.bat107⤵
- System Location Discovery: System Language Discovery
PID:5036 -
C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"108⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4584 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aEF42.bat109⤵PID:6136
-
C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"110⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:540 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aEFAF.bat111⤵PID:5156
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1112⤵PID:1608
-
-
C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"112⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3844 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF02C.bat113⤵PID:4132
-
C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"114⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1928 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF117.bat115⤵PID:5724
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1116⤵PID:2928
-
-
C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"116⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6100 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF1B3.bat117⤵PID:1592
-
C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"118⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF25F.bat119⤵PID:5472
-
C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"120⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2460 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF2DC.bat121⤵
- System Location Discovery: System Language Discovery
PID:4724 -
C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"C:\Users\Admin\AppData\Local\Temp\77bb92f9c181c82164b508aa0a549986dc07174176b0336ed8d41f06b35160c5.exe"122⤵
- Executes dropped EXE
PID:4084
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-