Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2025, 17:25
Static task
static1
Behavioral task
behavioral1
Sample
46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe
Resource
win11-20250619-en
General
-
Target
46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe
-
Size
6.1MB
-
MD5
c0e61d11f0ec05999ea19383e9f1db4a
-
SHA1
bef90c69ed9cdaa07e578821f164394ad8148378
-
SHA256
46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088
-
SHA512
0f5edb36ab1f82c85e6f9e0629ddc90d6c5b8636481c0fe01619b053d0a9c3f77ad2ef81cb83549d941cd394c7f9f7d1e75bf723579775c5010ee7626ef0c54f
-
SSDEEP
98304:iLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL4:0jJC
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 4728 Logo1_.exe 3796 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 1892 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 4700 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 4636 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 5544 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 4788 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 4956 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 2280 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 2220 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 2192 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 4768 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 2696 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 876 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 1924 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 3228 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 2080 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 4816 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 3964 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 2512 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 4740 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 3412 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 652 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 2752 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 5328 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 4456 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 2332 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 4740 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 5960 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 3264 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 5564 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 208 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 828 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 2476 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 2280 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 4044 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 2308 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 3892 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 1448 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 3036 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 2476 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 4548 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 5764 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 1692 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 3160 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 1772 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 3056 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 5652 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 3068 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 1008 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 5140 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 2680 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 3708 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 1832 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 4872 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 4656 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 640 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 1220 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 2000 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 2248 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 4512 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 4700 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 4668 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 5104 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\_desktop.ini Logo1_.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\hrtfs\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\th\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\sl-sl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Defender\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ru-ru\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\he-il\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\images\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\cs-cz\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\he-il\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\it-it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\WidevineCdm\_platform_specific\win_x64\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\EBWebView\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLENDS\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ky\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-tw\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\epdf\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\pl-pl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ro-ro\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\logger\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Java\Java Update\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Media Player\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\dtplugin\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Photo Viewer\uk-UA\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\collect_feedback\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\da-dk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Trust Protection Lists\Mu\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ARCTIC\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\QUAD\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\cef\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-ae\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\WidevineCdm\_platform_specific\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\EdgeWebView\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\ResiliencyLinks\Extensions\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\ResiliencyLinks\Trust Protection Lists\Sigma\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\et\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sl-sl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\_desktop.ini Logo1_.exe File created C:\Program Files\MSBuild\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\lg\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ko-kr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ja-jp\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\nb-no\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\16\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\kab\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-ma\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sk-sk\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\es-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Resources\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\si\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\_desktop.ini Logo1_.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\rundl132.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 62 IoCs
pid Process 1588 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 1588 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 1588 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 1588 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 1588 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 1588 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 1588 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 1588 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 1588 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 1588 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 1588 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 1588 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 1588 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 1588 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 1588 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 1588 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 1588 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 1588 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 4728 Logo1_.exe 4728 Logo1_.exe 4728 Logo1_.exe 4728 Logo1_.exe 4728 Logo1_.exe 4728 Logo1_.exe 4728 Logo1_.exe 4728 Logo1_.exe 4728 Logo1_.exe 4728 Logo1_.exe 4728 Logo1_.exe 4728 Logo1_.exe 4728 Logo1_.exe 4728 Logo1_.exe 4728 Logo1_.exe 4728 Logo1_.exe 4728 Logo1_.exe 4728 Logo1_.exe 4728 Logo1_.exe 4728 Logo1_.exe 4728 Logo1_.exe 4728 Logo1_.exe 4728 Logo1_.exe 4728 Logo1_.exe 4728 Logo1_.exe 4728 Logo1_.exe 4728 Logo1_.exe 4728 Logo1_.exe 4728 Logo1_.exe 4728 Logo1_.exe 4728 Logo1_.exe 4728 Logo1_.exe 4728 Logo1_.exe 4728 Logo1_.exe 4728 Logo1_.exe 4728 Logo1_.exe 4728 Logo1_.exe 4728 Logo1_.exe 4728 Logo1_.exe 4728 Logo1_.exe 4728 Logo1_.exe 4728 Logo1_.exe 4728 Logo1_.exe 4728 Logo1_.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1588 wrote to memory of 1896 1588 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 84 PID 1588 wrote to memory of 1896 1588 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 84 PID 1588 wrote to memory of 1896 1588 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 84 PID 1588 wrote to memory of 4728 1588 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 85 PID 1588 wrote to memory of 4728 1588 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 85 PID 1588 wrote to memory of 4728 1588 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 85 PID 4728 wrote to memory of 2672 4728 Logo1_.exe 87 PID 4728 wrote to memory of 2672 4728 Logo1_.exe 87 PID 4728 wrote to memory of 2672 4728 Logo1_.exe 87 PID 2672 wrote to memory of 3112 2672 net.exe 89 PID 2672 wrote to memory of 3112 2672 net.exe 89 PID 2672 wrote to memory of 3112 2672 net.exe 89 PID 1896 wrote to memory of 3796 1896 cmd.exe 90 PID 1896 wrote to memory of 3796 1896 cmd.exe 90 PID 1896 wrote to memory of 3796 1896 cmd.exe 90 PID 3796 wrote to memory of 2136 3796 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 91 PID 3796 wrote to memory of 2136 3796 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 91 PID 3796 wrote to memory of 2136 3796 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 91 PID 2136 wrote to memory of 1892 2136 cmd.exe 93 PID 2136 wrote to memory of 1892 2136 cmd.exe 93 PID 2136 wrote to memory of 1892 2136 cmd.exe 93 PID 1892 wrote to memory of 4040 1892 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 94 PID 1892 wrote to memory of 4040 1892 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 94 PID 1892 wrote to memory of 4040 1892 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 94 PID 4040 wrote to memory of 4700 4040 cmd.exe 96 PID 4040 wrote to memory of 4700 4040 cmd.exe 96 PID 4040 wrote to memory of 4700 4040 cmd.exe 96 PID 4700 wrote to memory of 4828 4700 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 97 PID 4700 wrote to memory of 4828 4700 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 97 PID 4700 wrote to memory of 4828 4700 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 97 PID 4728 wrote to memory of 3472 4728 Logo1_.exe 56 PID 4728 wrote to memory of 3472 4728 Logo1_.exe 56 PID 4828 wrote to memory of 4636 4828 cmd.exe 99 PID 4828 wrote to memory of 4636 4828 cmd.exe 99 PID 4828 wrote to memory of 4636 4828 cmd.exe 99 PID 4636 wrote to memory of 4676 4636 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 100 PID 4636 wrote to memory of 4676 4636 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 100 PID 4636 wrote to memory of 4676 4636 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 100 PID 4676 wrote to memory of 5544 4676 cmd.exe 102 PID 4676 wrote to memory of 5544 4676 cmd.exe 102 PID 4676 wrote to memory of 5544 4676 cmd.exe 102 PID 5544 wrote to memory of 1128 5544 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 103 PID 5544 wrote to memory of 1128 5544 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 103 PID 5544 wrote to memory of 1128 5544 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 103 PID 1128 wrote to memory of 4788 1128 cmd.exe 105 PID 1128 wrote to memory of 4788 1128 cmd.exe 105 PID 1128 wrote to memory of 4788 1128 cmd.exe 105 PID 4788 wrote to memory of 4748 4788 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 106 PID 4788 wrote to memory of 4748 4788 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 106 PID 4788 wrote to memory of 4748 4788 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 106 PID 4748 wrote to memory of 4956 4748 cmd.exe 108 PID 4748 wrote to memory of 4956 4748 cmd.exe 108 PID 4748 wrote to memory of 4956 4748 cmd.exe 108 PID 4956 wrote to memory of 5928 4956 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 109 PID 4956 wrote to memory of 5928 4956 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 109 PID 4956 wrote to memory of 5928 4956 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 109 PID 5928 wrote to memory of 2280 5928 cmd.exe 111 PID 5928 wrote to memory of 2280 5928 cmd.exe 111 PID 5928 wrote to memory of 2280 5928 cmd.exe 111 PID 2280 wrote to memory of 6128 2280 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 112 PID 2280 wrote to memory of 6128 2280 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 112 PID 2280 wrote to memory of 6128 2280 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 112 PID 6128 wrote to memory of 2220 6128 cmd.exe 114 PID 6128 wrote to memory of 2220 6128 cmd.exe 114
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3472
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a40A3.bat3⤵
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3796 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a421A.bat5⤵
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"6⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a43EE.bat7⤵
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"8⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a46DC.bat9⤵
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4892.bat11⤵
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5544 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4A57.bat13⤵
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4C4B.bat15⤵
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4E3F.bat17⤵
- Suspicious use of WriteProcessMemory
PID:5928 -
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a516C.bat19⤵
- Suspicious use of WriteProcessMemory
PID:6128 -
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"20⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5275.bat21⤵
- System Location Discovery: System Language Discovery
PID:4008 -
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"22⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5505.bat23⤵PID:5568
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"24⤵
- Executes dropped EXE
PID:4768 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a56DA.bat25⤵PID:4224
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2696 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a58FD.bat27⤵PID:5308
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"28⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:876 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5AC2.bat29⤵
- System Location Discovery: System Language Discovery
PID:316 -
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"30⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1924 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5CC6.bat31⤵PID:3632
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"32⤵
- Executes dropped EXE
PID:3228 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5ED9.bat33⤵PID:3676
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"34⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a61D7.bat35⤵PID:4264
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"36⤵
- Executes dropped EXE
PID:4816 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a62D1.bat37⤵PID:724
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3964 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a660D.bat39⤵PID:2680
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"40⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2512 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6801.bat41⤵
- System Location Discovery: System Language Discovery
PID:2292 -
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"42⤵
- Executes dropped EXE
PID:4740 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6968.bat43⤵
- System Location Discovery: System Language Discovery
PID:440 -
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"44⤵
- Executes dropped EXE
PID:3412 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6B9B.bat45⤵PID:2580
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"46⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:652 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6C47.bat47⤵PID:5420
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"48⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6D31.bat49⤵PID:5788
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"50⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5328 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6DDD.bat51⤵PID:5688
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"52⤵
- Executes dropped EXE
PID:4456 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6E5A.bat53⤵PID:2828
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"54⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6ED7.bat55⤵PID:2032
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"56⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4740 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6F35.bat57⤵PID:5072
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"58⤵
- Executes dropped EXE
PID:5960 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6FB2.bat59⤵PID:5368
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"60⤵
- Executes dropped EXE
PID:3264 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a701F.bat61⤵PID:4292
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"62⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5564 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a707D.bat63⤵PID:3428
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"64⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:208 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a70FA.bat65⤵PID:5932
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"66⤵
- Executes dropped EXE
PID:828 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7148.bat67⤵PID:2480
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"68⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a71C5.bat69⤵PID:3196
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"70⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a733C.bat71⤵PID:4092
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"72⤵
- Executes dropped EXE
PID:4044 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a73E8.bat73⤵PID:4264
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"74⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a74B3.bat75⤵PID:5316
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"76⤵
- Executes dropped EXE
PID:3892 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a758E.bat77⤵PID:3124
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"78⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1448 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a782D.bat79⤵PID:4792
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"80⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3036 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7918.bat81⤵PID:2256
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"82⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a79C4.bat83⤵PID:1460
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"84⤵
- Executes dropped EXE
PID:4548 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7A7F.bat85⤵PID:4848
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"86⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5764 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7B3B.bat87⤵PID:3456
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"88⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7BF6.bat89⤵PID:3460
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"90⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3160 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7CD1.bat91⤵PID:4816
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"92⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7D7D.bat93⤵PID:5732
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"94⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7E58.bat95⤵PID:1332
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"96⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5652 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7EF4.bat97⤵
- System Location Discovery: System Language Discovery
PID:4656 -
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"98⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7FBF.bat99⤵PID:1836
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"100⤵
- Executes dropped EXE
PID:1008 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a808A.bat101⤵PID:956
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"102⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5140 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8155.bat103⤵PID:3888
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"104⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2680 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a824F.bat105⤵PID:4040
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"106⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3708 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a830B.bat107⤵PID:1572
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"108⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1832 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8378.bat109⤵PID:1624
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"110⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4872 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a83D6.bat111⤵PID:2892
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"112⤵
- Executes dropped EXE
PID:4656 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8424.bat113⤵PID:4184
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"114⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:640 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8482.bat115⤵PID:3032
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"116⤵
- Executes dropped EXE
PID:1220 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a84DF.bat117⤵
- System Location Discovery: System Language Discovery
PID:4264 -
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"118⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2000 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a853D.bat119⤵PID:3464
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"120⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a85AB.bat121⤵
- System Location Discovery: System Language Discovery
PID:4876 -
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"122⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4512
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-