Analysis
-
max time kernel
149s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20250610-en -
resource tags
arch:x64arch:x86image:win10v2004-20250610-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2025, 18:34
Static task
static1
General
-
Target
70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe
-
Size
7.3MB
-
MD5
c107d212923c3c16f8ca1c3546182d94
-
SHA1
62808c0be8c28597fbb36229ad4950458554f5a6
-
SHA256
70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a
-
SHA512
a173e83a4cf54435bfefa89ec41289c96901ef49721c4aeb276af78bea0bd7f4d895d627c1c335f8c5f43e4e22c29ae7e30c362d04c8af9080134a5f7c05ad79
-
SSDEEP
98304:iLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL9:CjJr
Malware Config
Signatures
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe -
Executes dropped EXE 64 IoCs
pid Process 3056 Logo1_.exe 5440 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 4548 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 5448 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 5416 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 4880 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 2872 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 1716 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 1456 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 3448 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 4024 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 1696 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 760 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 2988 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 3004 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 1344 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 6048 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 4872 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 1012 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 3888 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 5500 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 4308 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 6136 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 4304 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 5892 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 5800 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 2044 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 948 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 1500 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 460 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 5416 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 2560 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 2724 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 5864 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 6044 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 1732 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 3660 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 3164 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 4312 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 2904 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 4300 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 5584 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 6116 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 5864 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 3780 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 5396 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 548 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 2532 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 3948 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 2940 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 2416 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 4304 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 5484 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 5896 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 6060 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 4696 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 2420 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 3864 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 1456 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 704 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 3952 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 1936 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 4828 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 4224 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PROFILE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pl-pl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\spu\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-ma\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sk-sk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\nl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sl-si\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\tr-tr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\zh-cn\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fr-ma\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\ja-JP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\PlatformCapabilities\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-gb\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-fr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-il\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-gb\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\Simple\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\it-it\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\hr-hr\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\1033\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\host\fxr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\WidevineCdm\_platform_specific\win_x64\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\da\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUEPRNT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hu-hu\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\cs-cz\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\_desktop.ini Logo1_.exe File created C:\Program Files\Mozilla Firefox\browser\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sv-se\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hu-hu\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sl-si\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ja-jp\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sl-sl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\_desktop.ini Logo1_.exe File created C:\Program Files\Internet Explorer\images\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre-1.8\legal\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ne\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-il\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\zh-tw\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\root\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ko-kr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\fr-fr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\nb-no\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\zh-tw\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\_desktop.ini Logo1_.exe File created C:\Program Files\dotnet\host\fxr\_desktop.ini Logo1_.exe File created C:\Program Files\edge_BITS_4792_2084814371\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\tr-tr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\hu-hu\_desktop.ini Logo1_.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\Logo1_.exe 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe File created C:\Windows\Logo1_.exe 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe File created C:\Windows\Logo1_.exe 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe File created C:\Windows\Logo1_.exe 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe File created C:\Windows\Logo1_.exe 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe File created C:\Windows\Logo1_.exe 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe File created C:\Windows\Logo1_.exe 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe File created C:\Windows\Logo1_.exe 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe File created C:\Windows\Logo1_.exe 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe File created C:\Windows\Logo1_.exe 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe File created C:\Windows\Logo1_.exe 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe File created C:\Windows\Dll.dll Logo1_.exe File created C:\Windows\Logo1_.exe 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe File created C:\Windows\Logo1_.exe 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe File created C:\Windows\Logo1_.exe 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe File created C:\Windows\Logo1_.exe 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe File created C:\Windows\Logo1_.exe 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe File created C:\Windows\Logo1_.exe 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe File created C:\Windows\Logo1_.exe 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe File created C:\Windows\Logo1_.exe 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe File created C:\Windows\Logo1_.exe 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe File created C:\Windows\Logo1_.exe 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe File created C:\Windows\Logo1_.exe 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe File created C:\Windows\Logo1_.exe 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\Logo1_.exe 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe File created C:\Windows\Logo1_.exe 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe File created C:\Windows\Logo1_.exe 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe File created C:\Windows\Logo1_.exe 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe File created C:\Windows\Logo1_.exe 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe File created C:\Windows\Logo1_.exe 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe File created C:\Windows\Logo1_.exe 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe File created C:\Windows\Logo1_.exe 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe File created C:\Windows\Logo1_.exe 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe File created C:\Windows\Logo1_.exe 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe File created C:\Windows\Logo1_.exe 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe File created C:\Windows\Logo1_.exe 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe File created C:\Windows\Logo1_.exe 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe File created C:\Windows\Logo1_.exe 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe File created C:\Windows\Logo1_.exe 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe File created C:\Windows\Logo1_.exe 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe File created C:\Windows\Logo1_.exe 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe File created C:\Windows\Logo1_.exe 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe File created C:\Windows\Logo1_.exe 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe File created C:\Windows\Logo1_.exe 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe File created C:\Windows\Logo1_.exe 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe File created C:\Windows\Logo1_.exe 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe File created C:\Windows\Logo1_.exe 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe File created C:\Windows\Logo1_.exe 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe File created C:\Windows\Logo1_.exe 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe File created C:\Windows\Logo1_.exe 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe File created C:\Windows\Logo1_.exe 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe File created C:\Windows\Logo1_.exe 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe File created C:\Windows\Logo1_.exe 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe File created C:\Windows\Logo1_.exe 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe File created C:\Windows\Logo1_.exe 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe File created C:\Windows\Logo1_.exe 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe File created C:\Windows\Logo1_.exe 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe File created C:\Windows\Logo1_.exe 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe File created C:\Windows\Logo1_.exe 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe File created C:\Windows\Logo1_.exe 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe File created C:\Windows\Logo1_.exe 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe File created C:\Windows\Logo1_.exe 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe File created C:\Windows\Logo1_.exe 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 62 IoCs
pid Process 5484 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 5484 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 5484 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 5484 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 5484 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 5484 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 5484 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 5484 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 5484 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 5484 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 5484 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 5484 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 5484 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 5484 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 5484 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 5484 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 5484 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 5484 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 3056 Logo1_.exe 3056 Logo1_.exe 3056 Logo1_.exe 3056 Logo1_.exe 3056 Logo1_.exe 3056 Logo1_.exe 3056 Logo1_.exe 3056 Logo1_.exe 3056 Logo1_.exe 3056 Logo1_.exe 3056 Logo1_.exe 3056 Logo1_.exe 3056 Logo1_.exe 3056 Logo1_.exe 3056 Logo1_.exe 3056 Logo1_.exe 3056 Logo1_.exe 3056 Logo1_.exe 3056 Logo1_.exe 3056 Logo1_.exe 3056 Logo1_.exe 3056 Logo1_.exe 3056 Logo1_.exe 3056 Logo1_.exe 3056 Logo1_.exe 3056 Logo1_.exe 3056 Logo1_.exe 3056 Logo1_.exe 3056 Logo1_.exe 3056 Logo1_.exe 3056 Logo1_.exe 3056 Logo1_.exe 3056 Logo1_.exe 3056 Logo1_.exe 3056 Logo1_.exe 3056 Logo1_.exe 3056 Logo1_.exe 3056 Logo1_.exe 3056 Logo1_.exe 3056 Logo1_.exe 3056 Logo1_.exe 3056 Logo1_.exe 3056 Logo1_.exe 3056 Logo1_.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5484 wrote to memory of 5676 5484 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 87 PID 5484 wrote to memory of 5676 5484 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 87 PID 5484 wrote to memory of 5676 5484 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 87 PID 5484 wrote to memory of 3056 5484 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 88 PID 5484 wrote to memory of 3056 5484 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 88 PID 5484 wrote to memory of 3056 5484 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 88 PID 3056 wrote to memory of 3324 3056 Logo1_.exe 90 PID 3056 wrote to memory of 3324 3056 Logo1_.exe 90 PID 3056 wrote to memory of 3324 3056 Logo1_.exe 90 PID 3324 wrote to memory of 5648 3324 net.exe 92 PID 3324 wrote to memory of 5648 3324 net.exe 92 PID 3324 wrote to memory of 5648 3324 net.exe 92 PID 5676 wrote to memory of 5440 5676 cmd.exe 93 PID 5676 wrote to memory of 5440 5676 cmd.exe 93 PID 5676 wrote to memory of 5440 5676 cmd.exe 93 PID 5440 wrote to memory of 1500 5440 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 94 PID 5440 wrote to memory of 1500 5440 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 94 PID 5440 wrote to memory of 1500 5440 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 94 PID 1500 wrote to memory of 4548 1500 cmd.exe 96 PID 1500 wrote to memory of 4548 1500 cmd.exe 96 PID 1500 wrote to memory of 4548 1500 cmd.exe 96 PID 4548 wrote to memory of 4656 4548 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 98 PID 4548 wrote to memory of 4656 4548 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 98 PID 4548 wrote to memory of 4656 4548 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 98 PID 4656 wrote to memory of 5448 4656 cmd.exe 100 PID 4656 wrote to memory of 5448 4656 cmd.exe 100 PID 4656 wrote to memory of 5448 4656 cmd.exe 100 PID 5448 wrote to memory of 4736 5448 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 101 PID 5448 wrote to memory of 4736 5448 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 101 PID 5448 wrote to memory of 4736 5448 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 101 PID 3056 wrote to memory of 3468 3056 Logo1_.exe 56 PID 3056 wrote to memory of 3468 3056 Logo1_.exe 56 PID 4736 wrote to memory of 5416 4736 cmd.exe 103 PID 4736 wrote to memory of 5416 4736 cmd.exe 103 PID 4736 wrote to memory of 5416 4736 cmd.exe 103 PID 5416 wrote to memory of 4428 5416 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 104 PID 5416 wrote to memory of 4428 5416 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 104 PID 5416 wrote to memory of 4428 5416 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 104 PID 4428 wrote to memory of 4880 4428 cmd.exe 106 PID 4428 wrote to memory of 4880 4428 cmd.exe 106 PID 4428 wrote to memory of 4880 4428 cmd.exe 106 PID 4880 wrote to memory of 4792 4880 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 107 PID 4880 wrote to memory of 4792 4880 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 107 PID 4880 wrote to memory of 4792 4880 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 107 PID 4792 wrote to memory of 2872 4792 cmd.exe 110 PID 4792 wrote to memory of 2872 4792 cmd.exe 110 PID 4792 wrote to memory of 2872 4792 cmd.exe 110 PID 2872 wrote to memory of 1936 2872 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 111 PID 2872 wrote to memory of 1936 2872 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 111 PID 2872 wrote to memory of 1936 2872 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 111 PID 1936 wrote to memory of 1716 1936 cmd.exe 113 PID 1936 wrote to memory of 1716 1936 cmd.exe 113 PID 1936 wrote to memory of 1716 1936 cmd.exe 113 PID 1716 wrote to memory of 4708 1716 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 114 PID 1716 wrote to memory of 4708 1716 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 114 PID 1716 wrote to memory of 4708 1716 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 114 PID 4708 wrote to memory of 1456 4708 cmd.exe 116 PID 4708 wrote to memory of 1456 4708 cmd.exe 116 PID 4708 wrote to memory of 1456 4708 cmd.exe 116 PID 1456 wrote to memory of 2332 1456 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 117 PID 1456 wrote to memory of 2332 1456 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 117 PID 1456 wrote to memory of 2332 1456 70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe 117 PID 2332 wrote to memory of 3448 2332 cmd.exe 119 PID 2332 wrote to memory of 3448 2332 cmd.exe 119
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3468
-
C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5484 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6CD3.bat3⤵
- Suspicious use of WriteProcessMemory
PID:5676 -
C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5440 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6E0C.bat5⤵
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a70AC.bat7⤵
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5448 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a72EE.bat9⤵
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5416 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7511.bat11⤵
- Suspicious use of WriteProcessMemory
PID:4428 -
C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7743.bat13⤵
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7976.bat15⤵
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7BC7.bat17⤵
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"18⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7E19.bat19⤵
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"20⤵
- Executes dropped EXE
PID:3448 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a809A.bat21⤵
- System Location Discovery: System Language Discovery
PID:2460 -
C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"22⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4024 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8368.bat23⤵PID:4224
-
C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"24⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8608.bat25⤵PID:4148
-
C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"26⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:760 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a88A8.bat27⤵PID:3528
-
C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"28⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8A6D.bat29⤵PID:6004
-
C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"30⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8C23.bat31⤵PID:4420
-
C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"32⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1344 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8CA0.bat33⤵
- System Location Discovery: System Language Discovery
PID:2820 -
C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"34⤵
- Executes dropped EXE
PID:6048 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8F4F.bat35⤵
- System Location Discovery: System Language Discovery
PID:4336 -
C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"36⤵
- Executes dropped EXE
PID:4872 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9172.bat37⤵PID:5268
-
C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"38⤵
- Executes dropped EXE
PID:1012 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a93B4.bat39⤵PID:3112
-
C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"40⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3888 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a95F6.bat41⤵PID:3408
-
C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"42⤵
- Executes dropped EXE
PID:5500 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9A5B.bat43⤵PID:5376
-
C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4308 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9BD2.bat45⤵PID:5544
-
C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"46⤵
- Executes dropped EXE
PID:6136 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9D0B.bat47⤵PID:2652
-
C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"48⤵
- Executes dropped EXE
PID:4304 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9D78.bat49⤵PID:5656
-
C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"50⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5892 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9DD6.bat51⤵PID:1396
-
C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"52⤵
- Executes dropped EXE
PID:5800 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9E24.bat53⤵PID:5900
-
C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"54⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9E82.bat55⤵PID:1060
-
C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"56⤵
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9ED0.bat57⤵
- System Location Discovery: System Language Discovery
PID:1040 -
C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"58⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9F2E.bat59⤵PID:4768
-
C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"60⤵
- Executes dropped EXE
PID:460 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9F7C.bat61⤵PID:4592
-
C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"62⤵
- Executes dropped EXE
PID:5416 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9FDA.bat63⤵PID:1920
-
C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2560 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA066.bat65⤵PID:4824
-
C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"66⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA568.bat67⤵PID:1672
-
C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"68⤵
- Executes dropped EXE
PID:5864 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA604.bat69⤵
- System Location Discovery: System Language Discovery
PID:4740 -
C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"70⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:6044 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA6A0.bat71⤵PID:3628
-
C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"72⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1732 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA74C.bat73⤵PID:5564
-
C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"74⤵
- Executes dropped EXE
PID:3660 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA7E8.bat75⤵PID:4688
-
C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"76⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3164 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA884.bat77⤵PID:1052
-
C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"78⤵
- Executes dropped EXE
PID:4312 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA940.bat79⤵PID:1524
-
C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"80⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2904 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA9DC.bat81⤵PID:3628
-
C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"82⤵
- Executes dropped EXE
PID:4300 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aAA98.bat83⤵PID:2600
-
C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"84⤵
- Executes dropped EXE
PID:5584 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aAB53.bat85⤵PID:4356
-
C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"86⤵
- Executes dropped EXE
PID:6116 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aAC2E.bat87⤵
- System Location Discovery: System Language Discovery
PID:4420 -
C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"88⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5864 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aAD18.bat89⤵PID:5856
-
C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"90⤵
- Executes dropped EXE
PID:3780 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aAE22.bat91⤵PID:4828
-
C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"92⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5396 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aAEBE.bat93⤵PID:4232
-
C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"94⤵
- Executes dropped EXE
PID:548 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aAF3B.bat95⤵
- System Location Discovery: System Language Discovery
PID:2652 -
C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"96⤵
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB0E1.bat97⤵PID:4964
-
C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"98⤵
- Executes dropped EXE
PID:3948 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB12F.bat99⤵
- System Location Discovery: System Language Discovery
PID:880 -
C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"100⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2940 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB18D.bat101⤵PID:4788
-
C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"102⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB1EB.bat103⤵PID:2776
-
C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"104⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4304 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB239.bat105⤵PID:5312
-
C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"106⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5484 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB287.bat107⤵PID:2044
-
C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"108⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5896 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB2C5.bat109⤵PID:436
-
C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"110⤵
- Executes dropped EXE
PID:6060 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB323.bat111⤵PID:2672
-
C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"112⤵
- Executes dropped EXE
PID:4696 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB381.bat113⤵PID:2648
-
C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"114⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB3DF.bat115⤵PID:4880
-
C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"116⤵PID:1740
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB41D.bat117⤵PID:3120
-
C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"118⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3864 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB47B.bat119⤵
- System Location Discovery: System Language Discovery
PID:5980 -
C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"120⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1456 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB4C9.bat121⤵PID:4480
-
C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"C:\Users\Admin\AppData\Local\Temp\70431a4853a6b66f3e09a48ff4a4b82a92d3c18f9c52b489ae8f9b9c6a98d09a.exe"122⤵
- Executes dropped EXE
PID:704
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-