Analysis
-
max time kernel
149s -
max time network
103s -
platform
windows11-21h2_x64 -
resource
win11-20250619-en -
resource tags
arch:x64arch:x86image:win11-20250619-enlocale:en-usos:windows11-21h2-x64system -
submitted
04/07/2025, 17:25
Static task
static1
Behavioral task
behavioral1
Sample
46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe
Resource
win11-20250619-en
General
-
Target
46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe
-
Size
6.1MB
-
MD5
c0e61d11f0ec05999ea19383e9f1db4a
-
SHA1
bef90c69ed9cdaa07e578821f164394ad8148378
-
SHA256
46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088
-
SHA512
0f5edb36ab1f82c85e6f9e0629ddc90d6c5b8636481c0fe01619b053d0a9c3f77ad2ef81cb83549d941cd394c7f9f7d1e75bf723579775c5010ee7626ef0c54f
-
SSDEEP
98304:iLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL4:0jJC
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 3544 Logo1_.exe 1064 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 5128 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 3396 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 5080 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 5124 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 1012 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 3696 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 4716 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 5340 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 1872 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 3580 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 2324 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 1840 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 5316 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 752 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 4272 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 5716 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 5256 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 2504 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 2996 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 5400 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 4584 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 2452 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 4976 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 4276 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 4616 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 4716 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 976 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 5096 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 1548 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 3580 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 3344 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 2132 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 1172 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 5512 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 3452 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 5696 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 3476 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 924 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 2032 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 3560 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 5340 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 5968 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 5008 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 1296 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 2632 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 3396 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 3296 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 4972 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 4088 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 5564 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 4636 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 1064 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 5132 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 1264 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 5864 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 5164 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 3824 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 3332 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 1660 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 4616 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 2832 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 400 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe -
Enumerates connected drives 3 TTPs 42 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example1.Diagnostics\Diagnostics\Simple\_desktop.ini Logo1_.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\zh-Hans\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\sl-sl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ru-ru\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SLATE\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\885E2137-A6C8-43EF-AEC0-ECE2AB6B37A9\root\vfs\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ca-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Oracle\Java\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\br\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\es-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\ResiliencyLinks\identity_proxy\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sv-se\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sv-se\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\en-gb\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\tr-tr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sl-sl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-il\_desktop.ini Logo1_.exe File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CONCRETE\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\nl-nl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\nb-no\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\pl-pl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows NT\TableTextService\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\en-gb\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Trust Protection Lists\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STUDIO\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\es-ES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\nl-nl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\pt-br\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre-1.8\legal\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Media Player\Visualizations\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ca-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk-1.8\lib\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\kab\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\2.1.15\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\uk-ua\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\DEEPBLUE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\da-dk\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\ResiliencyLinks\identity_proxy\win10\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\_desktop.ini Logo1_.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-sl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\de-de\_desktop.ini Logo1_.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File opened for modification C:\Windows\rundl132.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\rundl132.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Dll.dll Logo1_.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe File created C:\Windows\Logo1_.exe 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Logo1_.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Logo1_.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5296 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 5296 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 5296 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 5296 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 5296 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 5296 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 5296 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 5296 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 5296 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 5296 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 5296 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 5296 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 5296 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 5296 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 5296 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 5296 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 5296 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 5296 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 3544 Logo1_.exe 3544 Logo1_.exe 3544 Logo1_.exe 3544 Logo1_.exe 3544 Logo1_.exe 3544 Logo1_.exe 3544 Logo1_.exe 3544 Logo1_.exe 3544 Logo1_.exe 3544 Logo1_.exe 3544 Logo1_.exe 3544 Logo1_.exe 3544 Logo1_.exe 3544 Logo1_.exe 3544 Logo1_.exe 3544 Logo1_.exe 3544 Logo1_.exe 3544 Logo1_.exe 3544 Logo1_.exe 3544 Logo1_.exe 3544 Logo1_.exe 3544 Logo1_.exe 3544 Logo1_.exe 3544 Logo1_.exe 3544 Logo1_.exe 3544 Logo1_.exe 3544 Logo1_.exe 3544 Logo1_.exe 3544 Logo1_.exe 3544 Logo1_.exe 3544 Logo1_.exe 3544 Logo1_.exe 3544 Logo1_.exe 3544 Logo1_.exe 3544 Logo1_.exe 3544 Logo1_.exe 3544 Logo1_.exe 3544 Logo1_.exe 3544 Logo1_.exe 3544 Logo1_.exe 3544 Logo1_.exe 3544 Logo1_.exe 3544 Logo1_.exe 3544 Logo1_.exe 6012 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 6012 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5296 wrote to memory of 5808 5296 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 78 PID 5296 wrote to memory of 5808 5296 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 78 PID 5296 wrote to memory of 5808 5296 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 78 PID 5296 wrote to memory of 3544 5296 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 79 PID 5296 wrote to memory of 3544 5296 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 79 PID 5296 wrote to memory of 3544 5296 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 79 PID 3544 wrote to memory of 2152 3544 Logo1_.exe 81 PID 3544 wrote to memory of 2152 3544 Logo1_.exe 81 PID 3544 wrote to memory of 2152 3544 Logo1_.exe 81 PID 2152 wrote to memory of 1776 2152 net.exe 83 PID 2152 wrote to memory of 1776 2152 net.exe 83 PID 2152 wrote to memory of 1776 2152 net.exe 83 PID 5808 wrote to memory of 1064 5808 cmd.exe 84 PID 5808 wrote to memory of 1064 5808 cmd.exe 84 PID 5808 wrote to memory of 1064 5808 cmd.exe 84 PID 1064 wrote to memory of 5916 1064 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 85 PID 1064 wrote to memory of 5916 1064 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 85 PID 1064 wrote to memory of 5916 1064 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 85 PID 5916 wrote to memory of 5128 5916 cmd.exe 87 PID 5916 wrote to memory of 5128 5916 cmd.exe 87 PID 5916 wrote to memory of 5128 5916 cmd.exe 87 PID 5128 wrote to memory of 4720 5128 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 88 PID 5128 wrote to memory of 4720 5128 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 88 PID 5128 wrote to memory of 4720 5128 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 88 PID 4720 wrote to memory of 3396 4720 cmd.exe 90 PID 4720 wrote to memory of 3396 4720 cmd.exe 90 PID 4720 wrote to memory of 3396 4720 cmd.exe 90 PID 3396 wrote to memory of 4992 3396 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 91 PID 3396 wrote to memory of 4992 3396 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 91 PID 3396 wrote to memory of 4992 3396 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 91 PID 3544 wrote to memory of 3324 3544 Logo1_.exe 52 PID 3544 wrote to memory of 3324 3544 Logo1_.exe 52 PID 4992 wrote to memory of 5080 4992 cmd.exe 93 PID 4992 wrote to memory of 5080 4992 cmd.exe 93 PID 4992 wrote to memory of 5080 4992 cmd.exe 93 PID 5080 wrote to memory of 4380 5080 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 94 PID 5080 wrote to memory of 4380 5080 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 94 PID 5080 wrote to memory of 4380 5080 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 94 PID 4380 wrote to memory of 5124 4380 cmd.exe 96 PID 4380 wrote to memory of 5124 4380 cmd.exe 96 PID 4380 wrote to memory of 5124 4380 cmd.exe 96 PID 5124 wrote to memory of 804 5124 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 97 PID 5124 wrote to memory of 804 5124 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 97 PID 5124 wrote to memory of 804 5124 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 97 PID 804 wrote to memory of 1012 804 cmd.exe 99 PID 804 wrote to memory of 1012 804 cmd.exe 99 PID 804 wrote to memory of 1012 804 cmd.exe 99 PID 1012 wrote to memory of 884 1012 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 100 PID 1012 wrote to memory of 884 1012 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 100 PID 1012 wrote to memory of 884 1012 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 100 PID 884 wrote to memory of 3696 884 cmd.exe 102 PID 884 wrote to memory of 3696 884 cmd.exe 102 PID 884 wrote to memory of 3696 884 cmd.exe 102 PID 3696 wrote to memory of 4832 3696 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 103 PID 3696 wrote to memory of 4832 3696 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 103 PID 3696 wrote to memory of 4832 3696 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 103 PID 4832 wrote to memory of 4716 4832 cmd.exe 105 PID 4832 wrote to memory of 4716 4832 cmd.exe 105 PID 4832 wrote to memory of 4716 4832 cmd.exe 105 PID 4716 wrote to memory of 4920 4716 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 106 PID 4716 wrote to memory of 4920 4716 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 106 PID 4716 wrote to memory of 4920 4716 46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe 106 PID 4920 wrote to memory of 5340 4920 cmd.exe 108 PID 4920 wrote to memory of 5340 4920 cmd.exe 108
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3324
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5296 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8FAD.bat3⤵
- Suspicious use of WriteProcessMemory
PID:5808 -
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9114.bat5⤵
- Suspicious use of WriteProcessMemory
PID:5916 -
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"6⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5128 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a92DA.bat7⤵
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a95F6.bat9⤵
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a96B2.bat11⤵
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5124 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9858.bat13⤵
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a99FE.bat15⤵
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"16⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3696 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9B55.bat17⤵
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9C9E.bat19⤵
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"20⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5340 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9E05.bat21⤵PID:3512
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"22⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1872 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9F5D.bat23⤵PID:2796
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"24⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3580 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA0D4.bat25⤵PID:2512
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"26⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2324 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA23B.bat27⤵PID:1172
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"28⤵
- Executes dropped EXE
PID:1840 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA3A2.bat29⤵PID:2192
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"30⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5316 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA4FA.bat31⤵PID:4684
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"32⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:752 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA671.bat33⤵PID:1972
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"34⤵
- Executes dropped EXE
PID:4272 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA7AA.bat35⤵PID:3248
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"36⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5716 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA8F2.bat37⤵PID:5156
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5256 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aAA59.bat39⤵
- System Location Discovery: System Language Discovery
PID:1224 -
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"40⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aABA1.bat41⤵PID:3520
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2996 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aADE3.bat43⤵PID:5592
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"44⤵
- Executes dropped EXE
PID:5400 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aAECE.bat45⤵PID:5060
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"46⤵
- Executes dropped EXE
PID:4584 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aAF99.bat47⤵PID:2664
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"48⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2452 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB054.bat49⤵PID:1716
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"50⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4976 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB15E.bat51⤵PID:992
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"52⤵
- Executes dropped EXE
PID:4276 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB239.bat53⤵PID:5252
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"54⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4616 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB323.bat55⤵PID:5048
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"56⤵
- Executes dropped EXE
PID:4716 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB391.bat57⤵PID:5148
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"58⤵
- Executes dropped EXE
PID:976 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB40E.bat59⤵
- System Location Discovery: System Language Discovery
PID:2992 -
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"60⤵
- Executes dropped EXE
PID:5096 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB47B.bat61⤵PID:3096
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"62⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1548 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB4C9.bat63⤵PID:416
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"64⤵
- Executes dropped EXE
PID:3580 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB508.bat65⤵PID:1044
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"66⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3344 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB565.bat67⤵PID:1844
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"68⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2132 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB5B3.bat69⤵PID:4724
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"70⤵
- Executes dropped EXE
PID:1172 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB602.bat71⤵PID:4584
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"72⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5512 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB650.bat73⤵
- System Location Discovery: System Language Discovery
PID:5332 -
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"74⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3452 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB68E.bat75⤵PID:4600
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"76⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5696 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB6EC.bat77⤵PID:3468
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"78⤵
- Executes dropped EXE
PID:3476 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB759.bat79⤵PID:4964
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"80⤵
- Executes dropped EXE
PID:924 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB824.bat81⤵PID:4672
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"82⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB96D.bat83⤵PID:5716
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"84⤵
- Executes dropped EXE
PID:3560 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBC1C.bat85⤵PID:5560
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"86⤵
- Executes dropped EXE
PID:5340 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBD06.bat87⤵PID:1716
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"88⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5968 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBDE1.bat89⤵PID:2080
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"90⤵
- Executes dropped EXE
PID:5008 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBECC.bat91⤵
- System Location Discovery: System Language Discovery
PID:5752 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV192⤵PID:5096
-
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"92⤵
- Executes dropped EXE
PID:1296 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBF77.bat93⤵PID:4996
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"94⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC014.bat95⤵PID:4932
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"96⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3396 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC0B0.bat97⤵PID:2900
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"98⤵
- Executes dropped EXE
PID:3296 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC17B.bat99⤵
- System Location Discovery: System Language Discovery
PID:3472 -
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"100⤵
- Executes dropped EXE
PID:4972 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC2F2.bat101⤵PID:5748
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"102⤵
- Executes dropped EXE
PID:4088 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC3FC.bat103⤵PID:4824
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"104⤵
- Executes dropped EXE
PID:5564 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC498.bat105⤵PID:1708
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"106⤵
- Executes dropped EXE
PID:4636 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC4F6.bat107⤵PID:3896
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"108⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1064 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC544.bat109⤵PID:4996
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"110⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5132 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC582.bat111⤵PID:892
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"112⤵
- Executes dropped EXE
PID:1264 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC5E0.bat113⤵PID:3464
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"114⤵
- Executes dropped EXE
PID:5864 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC64D.bat115⤵PID:5068
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"116⤵
- Executes dropped EXE
PID:5164 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC69C.bat117⤵PID:2604
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"118⤵
- Executes dropped EXE
PID:3824 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC6EA.bat119⤵PID:3136
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"120⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3332 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC738.bat121⤵PID:5320
-
C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"C:\Users\Admin\AppData\Local\Temp\46152a7989c566f20f7f6dbe0d7ab7fab07ba1da1390dee99a3b044307ffe088.exe"122⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1660
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-