Analysis
-
max time kernel
149s -
max time network
103s -
platform
windows11-21h2_x64 -
resource
win11-20250619-en -
resource tags
arch:x64arch:x86image:win11-20250619-enlocale:en-usos:windows11-21h2-x64system -
submitted
04/07/2025, 18:34
Static task
static1
Behavioral task
behavioral1
Sample
de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe
Resource
win10v2004-20250619-en
Behavioral task
behavioral2
Sample
de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe
Resource
win11-20250619-en
General
-
Target
de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe
-
Size
6.7MB
-
MD5
53a2056087776997284622c3125a6eba
-
SHA1
7bc7347df1630efb06d63ed05e4decf8acb1da77
-
SHA256
de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903
-
SHA512
67cc09b9ed205214ca64e64caa5a8227f6b9ae1762f0348751c7151633654ef068e60974bf0c1394fe6e5d3b5d256a2569137185e98b51c9a228c54acbe8e909
-
SSDEEP
98304:iLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLJ:0jJr
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 4912 Logo1_.exe 2136 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 3528 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 1392 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 3312 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 5884 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 3620 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 980 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 2096 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 3232 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 3776 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 340 Logo1_.exe 3672 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 4808 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 4068 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 436 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 2392 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 6064 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 4016 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 4472 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 4436 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 832 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 5572 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 3724 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 5588 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 2492 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 2748 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 1664 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 5024 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 4428 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 2756 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 4824 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 1604 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 5832 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 1740 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 5600 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 5760 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 5736 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 1508 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 4408 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 3112 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 5740 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 3080 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 5836 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 6008 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 2116 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 5892 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 244 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 4796 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 2244 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 5376 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 2488 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 1840 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 2780 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 1952 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 2696 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 1576 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 5652 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 4124 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 768 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 4624 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 3324 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 1852 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 1136 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe -
Enumerates connected drives 3 TTPs 42 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ro-ro\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\en-il\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\fi-fi\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\root\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-gb\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\nb-no\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\sl-si\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\sv-se\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\fr-ma\_desktop.ini Logo1_.exe File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\MEIPreload\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Media Player\Visualizations\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sv-se\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\Office16\SAMPLES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\root\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ko-kr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ar-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\root\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nl-nl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\eu-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ko-kr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\nl-nl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-fr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\identity_proxy\win11\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Library\SOLVER\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\root\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-il\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\Office16\XLSTART\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\uk-ua\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\cs-cz\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\da-dk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nl-nl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\da-dk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\root\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\nb-no\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Internet Explorer\uk-UA\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\my\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\pt-br\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\sl-sl\_desktop.ini Logo1_.exe File created C:\Program Files\Uninstall Information\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nl-nl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\eu-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fr-fr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\_desktop.ini Logo1_.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\rundl132.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Dll.dll Logo1_.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe File created C:\Windows\Logo1_.exe de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 1948 4912 WerFault.exe 78 3080 4912 WerFault.exe 78 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2332 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 2332 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 2332 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 2332 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 2332 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 2332 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 2332 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 2332 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 2332 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 2332 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 2332 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 2332 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 2332 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 2332 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 2332 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 2332 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 2332 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 2332 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 4912 Logo1_.exe 4912 Logo1_.exe 4912 Logo1_.exe 4912 Logo1_.exe 4912 Logo1_.exe 4912 Logo1_.exe 4912 Logo1_.exe 4912 Logo1_.exe 4912 Logo1_.exe 4912 Logo1_.exe 4912 Logo1_.exe 4912 Logo1_.exe 4912 Logo1_.exe 4912 Logo1_.exe 4912 Logo1_.exe 4912 Logo1_.exe 4912 Logo1_.exe 4912 Logo1_.exe 4912 Logo1_.exe 4912 Logo1_.exe 4912 Logo1_.exe 4912 Logo1_.exe 4912 Logo1_.exe 4912 Logo1_.exe 4912 Logo1_.exe 4912 Logo1_.exe 4912 Logo1_.exe 4912 Logo1_.exe 4912 Logo1_.exe 4912 Logo1_.exe 4912 Logo1_.exe 4912 Logo1_.exe 4912 Logo1_.exe 4912 Logo1_.exe 4912 Logo1_.exe 4912 Logo1_.exe 4912 Logo1_.exe 4912 Logo1_.exe 4912 Logo1_.exe 4912 Logo1_.exe 4912 Logo1_.exe 4912 Logo1_.exe 4912 Logo1_.exe 4912 Logo1_.exe 3776 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 3776 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2332 wrote to memory of 2792 2332 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 77 PID 2332 wrote to memory of 2792 2332 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 77 PID 2332 wrote to memory of 2792 2332 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 77 PID 2332 wrote to memory of 4912 2332 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 78 PID 2332 wrote to memory of 4912 2332 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 78 PID 2332 wrote to memory of 4912 2332 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 78 PID 4912 wrote to memory of 3316 4912 Logo1_.exe 80 PID 4912 wrote to memory of 3316 4912 Logo1_.exe 80 PID 4912 wrote to memory of 3316 4912 Logo1_.exe 80 PID 3316 wrote to memory of 3724 3316 net.exe 82 PID 3316 wrote to memory of 3724 3316 net.exe 82 PID 3316 wrote to memory of 3724 3316 net.exe 82 PID 2792 wrote to memory of 2136 2792 cmd.exe 83 PID 2792 wrote to memory of 2136 2792 cmd.exe 83 PID 2792 wrote to memory of 2136 2792 cmd.exe 83 PID 2136 wrote to memory of 1264 2136 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 84 PID 2136 wrote to memory of 1264 2136 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 84 PID 2136 wrote to memory of 1264 2136 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 84 PID 1264 wrote to memory of 3528 1264 cmd.exe 86 PID 1264 wrote to memory of 3528 1264 cmd.exe 86 PID 1264 wrote to memory of 3528 1264 cmd.exe 86 PID 3528 wrote to memory of 4116 3528 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 87 PID 3528 wrote to memory of 4116 3528 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 87 PID 3528 wrote to memory of 4116 3528 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 87 PID 4116 wrote to memory of 1392 4116 cmd.exe 89 PID 4116 wrote to memory of 1392 4116 cmd.exe 89 PID 4116 wrote to memory of 1392 4116 cmd.exe 89 PID 1392 wrote to memory of 4920 1392 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 90 PID 1392 wrote to memory of 4920 1392 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 90 PID 1392 wrote to memory of 4920 1392 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 90 PID 4912 wrote to memory of 3296 4912 Logo1_.exe 51 PID 4912 wrote to memory of 3296 4912 Logo1_.exe 51 PID 4920 wrote to memory of 3312 4920 cmd.exe 92 PID 4920 wrote to memory of 3312 4920 cmd.exe 92 PID 4920 wrote to memory of 3312 4920 cmd.exe 92 PID 3312 wrote to memory of 5004 3312 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 93 PID 3312 wrote to memory of 5004 3312 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 93 PID 3312 wrote to memory of 5004 3312 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 93 PID 5004 wrote to memory of 5884 5004 cmd.exe 95 PID 5004 wrote to memory of 5884 5004 cmd.exe 95 PID 5004 wrote to memory of 5884 5004 cmd.exe 95 PID 5884 wrote to memory of 1976 5884 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 96 PID 5884 wrote to memory of 1976 5884 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 96 PID 5884 wrote to memory of 1976 5884 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 96 PID 1976 wrote to memory of 3620 1976 cmd.exe 98 PID 1976 wrote to memory of 3620 1976 cmd.exe 98 PID 1976 wrote to memory of 3620 1976 cmd.exe 98 PID 3620 wrote to memory of 5084 3620 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 99 PID 3620 wrote to memory of 5084 3620 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 99 PID 3620 wrote to memory of 5084 3620 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 99 PID 5084 wrote to memory of 980 5084 cmd.exe 101 PID 5084 wrote to memory of 980 5084 cmd.exe 101 PID 5084 wrote to memory of 980 5084 cmd.exe 101 PID 980 wrote to memory of 3496 980 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 102 PID 980 wrote to memory of 3496 980 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 102 PID 980 wrote to memory of 3496 980 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 102 PID 3496 wrote to memory of 2096 3496 cmd.exe 104 PID 3496 wrote to memory of 2096 3496 cmd.exe 104 PID 3496 wrote to memory of 2096 3496 cmd.exe 104 PID 2096 wrote to memory of 4020 2096 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 105 PID 2096 wrote to memory of 4020 2096 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 105 PID 2096 wrote to memory of 4020 2096 de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe 105 PID 4020 wrote to memory of 3232 4020 cmd.exe 109 PID 4020 wrote to memory of 3232 4020 cmd.exe 109
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3296
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a88F3.bat3⤵
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8A2B.bat5⤵
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8BF1.bat7⤵
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8DF4.bat9⤵
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3312 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8FE8.bat11⤵
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5884 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a923A.bat13⤵
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a949B.bat15⤵
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"16⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:980 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a98D1.bat17⤵
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA063.bat19⤵
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"20⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3232 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB4A6.bat21⤵
- System Location Discovery: System Language Discovery
PID:5176 -
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3776 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC1A7.bat23⤵PID:244
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"24⤵
- Executes dropped EXE
PID:3672 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC9E4.bat25⤵PID:2208
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4808 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD09B.bat27⤵PID:5844
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"28⤵
- Executes dropped EXE
PID:4068 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD629.bat29⤵PID:2488
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"30⤵
- Executes dropped EXE
PID:436 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aDB88.bat31⤵PID:4416
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"32⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE0C7.bat33⤵PID:4760
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"34⤵
- Executes dropped EXE
PID:6064 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE51D.bat35⤵PID:3056
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"36⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4016 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE924.bat37⤵PID:4164
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4472 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aECAE.bat39⤵PID:4812
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"40⤵
- Executes dropped EXE
PID:4436 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF019.bat41⤵
- System Location Discovery: System Language Discovery
PID:5576 -
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"42⤵
- Executes dropped EXE
PID:832 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF058.bat43⤵PID:4736
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"44⤵
- Executes dropped EXE
PID:5572 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF0A6.bat45⤵PID:2332
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"46⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3724 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF132.bat47⤵PID:5840
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"48⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5588 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF190.bat49⤵
- System Location Discovery: System Language Discovery
PID:2976 -
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"50⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF21D.bat51⤵PID:896
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2748 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF2A9.bat53⤵PID:4948
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"54⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF2F8.bat55⤵PID:5308
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"56⤵
- Executes dropped EXE
PID:5024 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF346.bat57⤵
- System Location Discovery: System Language Discovery
PID:5264 -
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4428 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF394.bat59⤵PID:4752
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"60⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF3E2.bat61⤵PID:5004
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"62⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4824 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF420.bat63⤵PID:4348
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1604 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF46F.bat65⤵PID:5084
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"66⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5832 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF4AD.bat67⤵PID:5228
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"68⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF50B.bat69⤵PID:5296
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"70⤵
- Executes dropped EXE
PID:5600 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF549.bat71⤵PID:2032
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"72⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5760 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF597.bat73⤵PID:5688
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"74⤵
- Executes dropped EXE
PID:5736 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF5E6.bat75⤵PID:4400
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"76⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1508 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF634.bat77⤵PID:5484
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"78⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4408 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF682.bat79⤵PID:4552
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"80⤵
- Executes dropped EXE
PID:3112 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF6B1.bat81⤵
- System Location Discovery: System Language Discovery
PID:3164 -
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"82⤵
- Executes dropped EXE
PID:5740 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF6FF.bat83⤵PID:1948
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"84⤵
- Executes dropped EXE
PID:3080 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF74D.bat85⤵PID:4340
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"86⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5836 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF78B.bat87⤵
- System Location Discovery: System Language Discovery
PID:4168 -
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"88⤵
- Executes dropped EXE
PID:6008 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF7F9.bat89⤵PID:4392
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV190⤵PID:6088
-
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"90⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF837.bat91⤵PID:2188
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"92⤵
- Executes dropped EXE
PID:5892 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF885.bat93⤵PID:3672
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"94⤵
- Executes dropped EXE
PID:244 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF8D4.bat95⤵PID:4868
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV196⤵PID:4808
-
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"96⤵
- Executes dropped EXE
PID:4796 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF912.bat97⤵
- System Location Discovery: System Language Discovery
PID:5668 -
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"98⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF960.bat99⤵PID:4828
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"100⤵
- Executes dropped EXE
PID:5376 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF99F.bat101⤵PID:1096
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"102⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aFA2B.bat103⤵
- System Location Discovery: System Language Discovery
PID:5608 -
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"104⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1840 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aFA6A.bat105⤵PID:3664
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"106⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aFA99.bat107⤵PID:5144
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"108⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aFAF6.bat109⤵PID:4196
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"110⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aFB35.bat111⤵
- System Location Discovery: System Language Discovery
PID:3684 -
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"112⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aFB73.bat113⤵PID:5192
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"114⤵
- Executes dropped EXE
PID:5652 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aFBB2.bat115⤵PID:1288
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"116⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4124 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aFBF0.bat117⤵PID:832
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"118⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:768 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aFC2F.bat119⤵PID:5812
-
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"120⤵
- Executes dropped EXE
PID:4624 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aFC8D.bat121⤵
- System Location Discovery: System Language Discovery
PID:488 -
C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"C:\Users\Admin\AppData\Local\Temp\de5a86041cab2ff988aacee71572e4ce65a544bafcf09b58488097aff35e8903.exe"122⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3324
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-