Analysis
-
max time kernel
149s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20250619-en -
resource tags
arch:x64arch:x86image:win10v2004-20250619-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2025, 18:34
Static task
static1
Behavioral task
behavioral1
Sample
de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe
Resource
win10v2004-20250619-en
Behavioral task
behavioral2
Sample
de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe
Resource
win11-20250619-en
General
-
Target
de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe
-
Size
6.7MB
-
MD5
53a2056087776997284622c3125a6eba
-
SHA1
7bc7347df1630efb06d63ed05e4decf8acb1da77
-
SHA256
de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903
-
SHA512
67cc09b9ed205214ca64e64caa5a8227f6b9ae1762f0348751c7151633654ef068e60974bf0c1394fe6e5d3b5d256a2569137185e98b51c9a228c54acbe8e909
-
SSDEEP
98304:iLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLJ:0jJr
Malware Config
Signatures
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe -
Executes dropped EXE 64 IoCs
pid Process 5764 Logo1_.exe 6000 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 3548 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 4628 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 4596 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 3580 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 5960 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 3952 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 3280 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 408 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 744 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 5804 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 1056 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 5500 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 1200 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 4304 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 3928 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 3280 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 5052 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 4684 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 2280 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 6080 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 2736 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 2940 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 1488 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 4040 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 508 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 5976 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 5248 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 2728 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 2176 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 3108 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 1808 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 5056 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 3116 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 4984 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 3300 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 2780 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 6048 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 4032 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 4684 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 5232 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 6004 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 2684 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 5552 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 896 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 4916 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 1444 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 4708 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 5320 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 3604 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 2744 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 1960 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 5324 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 2012 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 4056 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 1644 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 1300 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 4232 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 5184 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 4304 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 5152 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 364 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 5900 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files-select\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\AdSelectionAttestationsPreloaded\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Media Player\en-US\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ar-ae\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ko-kr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\fi-fi\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\Diagnostics\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\ms\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\root\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ru-ru\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\sl-sl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Internet Explorer\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\WidevineCdm\_platform_specific\win_x64\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-RS\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\skins\fonts\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\sv\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ENES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ie\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ca-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\zh-cn\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\de-de\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Media Player\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\uk-ua\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\osfFPA\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ca-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ro-ro\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\he-il\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\is\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ro-ro\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\hu-hu\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Oracle\Java\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\Office16\QUERIES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EDGE\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\pt-br\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\identity_proxy\win11\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hu-hu\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\hr-hr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hu-hu\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\sl-si\_desktop.ini Logo1_.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Photo Viewer\uk-UA\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\es-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\it-it\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\eu-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Resources\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-ma\_desktop.ini Logo1_.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\rundl132.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 62 IoCs
pid Process 3088 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 3088 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 3088 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 3088 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 3088 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 3088 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 3088 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 3088 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 3088 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 3088 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 3088 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 3088 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 3088 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 3088 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 3088 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 3088 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 3088 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 3088 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 5764 Logo1_.exe 5764 Logo1_.exe 5764 Logo1_.exe 5764 Logo1_.exe 5764 Logo1_.exe 5764 Logo1_.exe 5764 Logo1_.exe 5764 Logo1_.exe 5764 Logo1_.exe 5764 Logo1_.exe 5764 Logo1_.exe 5764 Logo1_.exe 5764 Logo1_.exe 5764 Logo1_.exe 5764 Logo1_.exe 5764 Logo1_.exe 5764 Logo1_.exe 5764 Logo1_.exe 5764 Logo1_.exe 5764 Logo1_.exe 5764 Logo1_.exe 5764 Logo1_.exe 5764 Logo1_.exe 5764 Logo1_.exe 5764 Logo1_.exe 5764 Logo1_.exe 5764 Logo1_.exe 5764 Logo1_.exe 5764 Logo1_.exe 5764 Logo1_.exe 5764 Logo1_.exe 5764 Logo1_.exe 5764 Logo1_.exe 5764 Logo1_.exe 5764 Logo1_.exe 5764 Logo1_.exe 5764 Logo1_.exe 5764 Logo1_.exe 5764 Logo1_.exe 5764 Logo1_.exe 5764 Logo1_.exe 5764 Logo1_.exe 5764 Logo1_.exe 5764 Logo1_.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3088 wrote to memory of 3708 3088 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 86 PID 3088 wrote to memory of 3708 3088 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 86 PID 3088 wrote to memory of 3708 3088 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 86 PID 3088 wrote to memory of 5764 3088 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 87 PID 3088 wrote to memory of 5764 3088 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 87 PID 3088 wrote to memory of 5764 3088 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 87 PID 5764 wrote to memory of 4896 5764 Logo1_.exe 89 PID 5764 wrote to memory of 4896 5764 Logo1_.exe 89 PID 5764 wrote to memory of 4896 5764 Logo1_.exe 89 PID 4896 wrote to memory of 3208 4896 net.exe 91 PID 4896 wrote to memory of 3208 4896 net.exe 91 PID 4896 wrote to memory of 3208 4896 net.exe 91 PID 3708 wrote to memory of 6000 3708 cmd.exe 92 PID 3708 wrote to memory of 6000 3708 cmd.exe 92 PID 3708 wrote to memory of 6000 3708 cmd.exe 92 PID 6000 wrote to memory of 5052 6000 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 93 PID 6000 wrote to memory of 5052 6000 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 93 PID 6000 wrote to memory of 5052 6000 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 93 PID 5052 wrote to memory of 3548 5052 cmd.exe 95 PID 5052 wrote to memory of 3548 5052 cmd.exe 95 PID 5052 wrote to memory of 3548 5052 cmd.exe 95 PID 3548 wrote to memory of 2332 3548 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 96 PID 3548 wrote to memory of 2332 3548 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 96 PID 3548 wrote to memory of 2332 3548 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 96 PID 2332 wrote to memory of 4628 2332 cmd.exe 99 PID 2332 wrote to memory of 4628 2332 cmd.exe 99 PID 2332 wrote to memory of 4628 2332 cmd.exe 99 PID 4628 wrote to memory of 4688 4628 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 100 PID 4628 wrote to memory of 4688 4628 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 100 PID 4628 wrote to memory of 4688 4628 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 100 PID 5764 wrote to memory of 3528 5764 Logo1_.exe 56 PID 5764 wrote to memory of 3528 5764 Logo1_.exe 56 PID 4688 wrote to memory of 4596 4688 cmd.exe 103 PID 4688 wrote to memory of 4596 4688 cmd.exe 103 PID 4688 wrote to memory of 4596 4688 cmd.exe 103 PID 4596 wrote to memory of 4732 4596 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 104 PID 4596 wrote to memory of 4732 4596 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 104 PID 4596 wrote to memory of 4732 4596 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 104 PID 4732 wrote to memory of 3580 4732 cmd.exe 107 PID 4732 wrote to memory of 3580 4732 cmd.exe 107 PID 4732 wrote to memory of 3580 4732 cmd.exe 107 PID 3580 wrote to memory of 1984 3580 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 108 PID 3580 wrote to memory of 1984 3580 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 108 PID 3580 wrote to memory of 1984 3580 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 108 PID 1984 wrote to memory of 5960 1984 cmd.exe 131 PID 1984 wrote to memory of 5960 1984 cmd.exe 131 PID 1984 wrote to memory of 5960 1984 cmd.exe 131 PID 5960 wrote to memory of 5456 5960 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 111 PID 5960 wrote to memory of 5456 5960 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 111 PID 5960 wrote to memory of 5456 5960 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 111 PID 5456 wrote to memory of 3952 5456 cmd.exe 121 PID 5456 wrote to memory of 3952 5456 cmd.exe 121 PID 5456 wrote to memory of 3952 5456 cmd.exe 121 PID 3952 wrote to memory of 3488 3952 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 122 PID 3952 wrote to memory of 3488 3952 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 122 PID 3952 wrote to memory of 3488 3952 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 122 PID 3488 wrote to memory of 3280 3488 cmd.exe 159 PID 3488 wrote to memory of 3280 3488 cmd.exe 159 PID 3488 wrote to memory of 3280 3488 cmd.exe 159 PID 3280 wrote to memory of 4328 3280 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 193 PID 3280 wrote to memory of 4328 3280 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 193 PID 3280 wrote to memory of 4328 3280 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 193 PID 4328 wrote to memory of 408 4328 cmd.exe 135 PID 4328 wrote to memory of 408 4328 cmd.exe 135
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3528
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3088 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4A47.bat3⤵
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:6000 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4BAF.bat5⤵
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4DD2.bat7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"8⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5023.bat9⤵
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"10⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5246.bat11⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a54F6.bat13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"14⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5960 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a595B.bat15⤵
- Suspicious use of WriteProcessMemory
PID:5456 -
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a65BF.bat17⤵
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a76F5.bat19⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4328 -
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"20⤵
- Executes dropped EXE
PID:408 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a84D0.bat21⤵PID:808
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"22⤵
- Executes dropped EXE
PID:744 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a90C6.bat23⤵PID:5608
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"24⤵
- Executes dropped EXE
PID:5804 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9933.bat25⤵PID:3120
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"26⤵
- Executes dropped EXE
PID:1056 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA0B4.bat27⤵PID:5676
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5500 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA70D.bat29⤵PID:2896
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1200 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aAC9B.bat31⤵PID:3300
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"32⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4304 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB1EB.bat33⤵PID:4008
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"34⤵
- Executes dropped EXE
PID:3928 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB67F.bat35⤵PID:3936
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"36⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3280 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBAC4.bat37⤵PID:5496
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"38⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5052 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBEAC.bat39⤵PID:5964
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"40⤵
- Executes dropped EXE
PID:4684 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC294.bat41⤵
- System Location Discovery: System Language Discovery
PID:3216 -
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"42⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2280 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC65D.bat43⤵PID:5808
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6080 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC999.bat45⤵PID:2608
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"46⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2736 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCA07.bat47⤵PID:5252
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"48⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCA55.bat49⤵PID:3728
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"50⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCAF1.bat51⤵PID:5412
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"52⤵
- Executes dropped EXE
PID:4040 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCB5E.bat53⤵PID:736
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"54⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:508 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCBDB.bat55⤵PID:3160
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"56⤵
- Executes dropped EXE
PID:5976 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCC58.bat57⤵PID:4328
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"58⤵
- Executes dropped EXE
PID:5248 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCCF5.bat59⤵PID:2464
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"60⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2728 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCD81.bat61⤵
- System Location Discovery: System Language Discovery
PID:3512 -
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"62⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCDEF.bat63⤵
- System Location Discovery: System Language Discovery
PID:6020 -
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"64⤵
- Executes dropped EXE
PID:3108 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCE4C.bat65⤵PID:4432
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"66⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCEC9.bat67⤵PID:3120
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"68⤵
- Executes dropped EXE
PID:5056 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCF37.bat69⤵PID:5092
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"70⤵
- Executes dropped EXE
PID:3116 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aCFB4.bat71⤵PID:3340
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV172⤵PID:1200
-
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"72⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4984 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD031.bat73⤵PID:4392
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"74⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3300 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD09E.bat75⤵PID:2700
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"76⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD11B.bat77⤵PID:2332
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"78⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:6048 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD188.bat79⤵PID:3172
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"80⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4032 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD263.bat81⤵PID:1100
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"82⤵
- Executes dropped EXE
PID:4684 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD2F0.bat83⤵PID:2504
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"84⤵
- Executes dropped EXE
PID:5232 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD35D.bat85⤵PID:4908
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"86⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6004 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD3CB.bat87⤵PID:4868
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"88⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2684 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD438.bat89⤵PID:6016
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"90⤵
- Executes dropped EXE
PID:5552 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD4E4.bat91⤵
- System Location Discovery: System Language Discovery
PID:4588 -
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"92⤵
- Executes dropped EXE
PID:896 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD59F.bat93⤵
- System Location Discovery: System Language Discovery
PID:2312 -
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"94⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4916 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD61C.bat95⤵PID:5788
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"96⤵
- Executes dropped EXE
PID:1444 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD67A.bat97⤵PID:4456
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"98⤵
- Executes dropped EXE
PID:4708 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD6D8.bat99⤵PID:3540
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"100⤵
- Executes dropped EXE
PID:5320 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD745.bat101⤵PID:3576
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"102⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3604 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD84F.bat103⤵PID:4900
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"104⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2744 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD8DB.bat105⤵PID:980
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"106⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD968.bat107⤵PID:4272
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1108⤵PID:744
-
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"108⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5324 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD9C6.bat109⤵
- System Location Discovery: System Language Discovery
PID:5340 -
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"110⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aDA43.bat111⤵PID:2376
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"112⤵
- Executes dropped EXE
PID:4056 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aDAA1.bat113⤵PID:3700
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"114⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aDB1E.bat115⤵PID:544
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1116⤵PID:5500
-
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"116⤵
- Executes dropped EXE
PID:1300 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aDB8B.bat117⤵PID:3120
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"118⤵
- Executes dropped EXE
PID:4232 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aDBE9.bat119⤵PID:2896
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"120⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5184 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aDC46.bat121⤵
- System Location Discovery: System Language Discovery
PID:1800 -
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"122⤵
- Executes dropped EXE
PID:4304
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-