Analysis
-
max time kernel
149s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2025, 18:34
Static task
static1
Behavioral task
behavioral1
Sample
61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe
Resource
win10v2004-20250502-en
General
-
Target
61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe
-
Size
5.4MB
-
MD5
fade7234a6a4ae7e457219650c59a647
-
SHA1
59980382e5fbb6b27969b058141c34aca097958e
-
SHA256
61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627
-
SHA512
8d478bf39629d2df64c1c690e8777acd752e0da20aea7917637e920f06baeedb1324326256367c48d1119890aa09b040096830094c4a29da12b61b09e0d730b8
-
SSDEEP
98304:iLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLW:0jJ4
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 2248 Logo1_.exe 3024 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 3612 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 2848 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 1268 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 3760 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 4636 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 3768 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 4516 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 4740 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 4796 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 1384 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 3396 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 2588 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 4920 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 5012 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 3900 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 1848 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 3228 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 3748 Logo1_.exe 5000 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 1864 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 2332 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 4976 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 3340 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 3328 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 1528 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 1544 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 2904 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 5280 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 1744 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 6136 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 2316 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 2628 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 4512 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 2148 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 4516 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 980 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 1716 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 4860 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 5428 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 4916 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 1624 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 2908 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 6052 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 2472 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 3224 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 3644 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 5332 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 5420 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 2256 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 2384 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 376 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 6064 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 432 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 5736 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 4228 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 5888 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 2556 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 1248 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 6060 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 4348 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 3608 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 4164 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe -
Enumerates connected drives 3 TTPs 42 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Internet Explorer\images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\loc\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\pt_PT\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\uz\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk-1.8\include\win32\_desktop.ini Logo1_.exe File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\default_apps\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BOLDSTRI\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\JOURNAL\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\lua\http\images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\d3d9\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre-1.8\bin\server\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-BA\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SONORA\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\E295F3A3-993A-4EA0-9ABE-A1B69525FC35\root\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\brx\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre-1.8\lib\images\cursors\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\MsEdgeCrashpad\reports\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\fur\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\te\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\edge_BITS_4536_397408738\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SUMIPNTG\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre-1.8\lib\fonts\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_f4\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\bg\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\sk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\plugin2\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\_desktop.ini Logo1_.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\_desktop.ini Logo1_.exe File created C:\Program Files\Internet Explorer\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\security\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ku_IQ\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\lua\extensions\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\amd64\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft.NET\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\nl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\tr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\edge_BITS_4396_1915477713\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\eu\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SUMIPNTG\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\cs\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft.NET\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\_desktop.ini Logo1_.exe File created C:\Program Files\MsEdgeCrashpad\reports\_desktop.ini Logo1_.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Dll.dll Logo1_.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 1096 2248 WerFault.exe 85 2548 2248 WerFault.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 668 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 668 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 668 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 668 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 668 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 668 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 668 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 668 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 668 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 668 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 668 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 668 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 668 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 668 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 668 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 668 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 668 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 668 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 2248 Logo1_.exe 2248 Logo1_.exe 2248 Logo1_.exe 2248 Logo1_.exe 2248 Logo1_.exe 2248 Logo1_.exe 2248 Logo1_.exe 2248 Logo1_.exe 2248 Logo1_.exe 2248 Logo1_.exe 2248 Logo1_.exe 2248 Logo1_.exe 2248 Logo1_.exe 2248 Logo1_.exe 2248 Logo1_.exe 2248 Logo1_.exe 2248 Logo1_.exe 2248 Logo1_.exe 2248 Logo1_.exe 2248 Logo1_.exe 2248 Logo1_.exe 2248 Logo1_.exe 2248 Logo1_.exe 2248 Logo1_.exe 2248 Logo1_.exe 2248 Logo1_.exe 2248 Logo1_.exe 2248 Logo1_.exe 2248 Logo1_.exe 2248 Logo1_.exe 2248 Logo1_.exe 2248 Logo1_.exe 2248 Logo1_.exe 2248 Logo1_.exe 2248 Logo1_.exe 2248 Logo1_.exe 2248 Logo1_.exe 2248 Logo1_.exe 2248 Logo1_.exe 2248 Logo1_.exe 2248 Logo1_.exe 2248 Logo1_.exe 2248 Logo1_.exe 2248 Logo1_.exe 3228 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 3228 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 668 wrote to memory of 3308 668 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 84 PID 668 wrote to memory of 3308 668 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 84 PID 668 wrote to memory of 3308 668 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 84 PID 668 wrote to memory of 2248 668 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 85 PID 668 wrote to memory of 2248 668 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 85 PID 668 wrote to memory of 2248 668 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 85 PID 2248 wrote to memory of 5124 2248 Logo1_.exe 87 PID 2248 wrote to memory of 5124 2248 Logo1_.exe 87 PID 2248 wrote to memory of 5124 2248 Logo1_.exe 87 PID 5124 wrote to memory of 5900 5124 net.exe 89 PID 5124 wrote to memory of 5900 5124 net.exe 89 PID 5124 wrote to memory of 5900 5124 net.exe 89 PID 3308 wrote to memory of 3024 3308 cmd.exe 90 PID 3308 wrote to memory of 3024 3308 cmd.exe 90 PID 3308 wrote to memory of 3024 3308 cmd.exe 90 PID 3024 wrote to memory of 3616 3024 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 91 PID 3024 wrote to memory of 3616 3024 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 91 PID 3024 wrote to memory of 3616 3024 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 91 PID 3616 wrote to memory of 3612 3616 cmd.exe 93 PID 3616 wrote to memory of 3612 3616 cmd.exe 93 PID 3616 wrote to memory of 3612 3616 cmd.exe 93 PID 3612 wrote to memory of 368 3612 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 94 PID 3612 wrote to memory of 368 3612 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 94 PID 3612 wrote to memory of 368 3612 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 94 PID 368 wrote to memory of 2848 368 cmd.exe 96 PID 368 wrote to memory of 2848 368 cmd.exe 96 PID 368 wrote to memory of 2848 368 cmd.exe 96 PID 2848 wrote to memory of 5876 2848 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 97 PID 2848 wrote to memory of 5876 2848 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 97 PID 2848 wrote to memory of 5876 2848 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 97 PID 2248 wrote to memory of 3544 2248 Logo1_.exe 56 PID 2248 wrote to memory of 3544 2248 Logo1_.exe 56 PID 5876 wrote to memory of 1268 5876 cmd.exe 99 PID 5876 wrote to memory of 1268 5876 cmd.exe 99 PID 5876 wrote to memory of 1268 5876 cmd.exe 99 PID 1268 wrote to memory of 1496 1268 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 100 PID 1268 wrote to memory of 1496 1268 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 100 PID 1268 wrote to memory of 1496 1268 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 100 PID 1496 wrote to memory of 3760 1496 cmd.exe 102 PID 1496 wrote to memory of 3760 1496 cmd.exe 102 PID 1496 wrote to memory of 3760 1496 cmd.exe 102 PID 3760 wrote to memory of 4488 3760 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 103 PID 3760 wrote to memory of 4488 3760 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 103 PID 3760 wrote to memory of 4488 3760 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 103 PID 4488 wrote to memory of 4636 4488 cmd.exe 105 PID 4488 wrote to memory of 4636 4488 cmd.exe 105 PID 4488 wrote to memory of 4636 4488 cmd.exe 105 PID 4636 wrote to memory of 4624 4636 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 106 PID 4636 wrote to memory of 4624 4636 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 106 PID 4636 wrote to memory of 4624 4636 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 106 PID 4624 wrote to memory of 3768 4624 cmd.exe 108 PID 4624 wrote to memory of 3768 4624 cmd.exe 108 PID 4624 wrote to memory of 3768 4624 cmd.exe 108 PID 3768 wrote to memory of 4400 3768 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 109 PID 3768 wrote to memory of 4400 3768 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 109 PID 3768 wrote to memory of 4400 3768 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 109 PID 4400 wrote to memory of 4516 4400 cmd.exe 111 PID 4400 wrote to memory of 4516 4400 cmd.exe 111 PID 4400 wrote to memory of 4516 4400 cmd.exe 111 PID 4516 wrote to memory of 2680 4516 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 112 PID 4516 wrote to memory of 2680 4516 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 112 PID 4516 wrote to memory of 2680 4516 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 112 PID 2680 wrote to memory of 4740 2680 cmd.exe 114 PID 2680 wrote to memory of 4740 2680 cmd.exe 114
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3544
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a881C.bat3⤵
- Suspicious use of WriteProcessMemory
PID:3308 -
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8973.bat5⤵
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8BF4.bat7⤵
- Suspicious use of WriteProcessMemory
PID:368 -
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"8⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8DD8.bat9⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5876 -
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"10⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8FAD.bat11⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"12⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3760 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a91D0.bat13⤵
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9395.bat15⤵
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a95E7.bat17⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9858.bat19⤵
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"20⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4740 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9AD8.bat21⤵PID:4744
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"22⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4796 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9D0B.bat23⤵
- System Location Discovery: System Language Discovery
PID:1088 -
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"24⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1384 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9FAB.bat25⤵PID:3576
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"26⤵
- Executes dropped EXE
PID:3396 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA1DD.bat27⤵
- System Location Discovery: System Language Discovery
PID:3984 -
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"28⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA400.bat29⤵PID:2144
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"30⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4920 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA671.bat31⤵PID:3384
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5012 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA894.bat33⤵
- System Location Discovery: System Language Discovery
PID:3408 -
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"34⤵
- Executes dropped EXE
PID:3900 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aAAA7.bat35⤵
- System Location Discovery: System Language Discovery
PID:2300 -
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"36⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1848 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aAC2E.bat37⤵PID:2304
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"38⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3228 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aAEBE.bat39⤵
- System Location Discovery: System Language Discovery
PID:1448 -
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"40⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5000 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB1EB.bat41⤵PID:2712
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"42⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB297.bat43⤵PID:5540
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2332 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB323.bat45⤵PID:5860
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"46⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4976 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB3CF.bat47⤵
- System Location Discovery: System Language Discovery
PID:5176 -
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"48⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3340 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB46B.bat49⤵PID:896
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"50⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3328 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB536.bat51⤵PID:4036
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"52⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB5C3.bat53⤵PID:1568
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1544 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB68E.bat55⤵
- System Location Discovery: System Language Discovery
PID:3220 -
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"56⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2904 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB72A.bat57⤵PID:4404
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"58⤵
- Executes dropped EXE
PID:5280 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB798.bat59⤵
- System Location Discovery: System Language Discovery
PID:1880 -
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"60⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB7E6.bat61⤵PID:2260
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"62⤵
- Executes dropped EXE
PID:6136 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB844.bat63⤵PID:5532
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"64⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB8F0.bat65⤵PID:2848
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"66⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2628 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB95D.bat67⤵PID:3760
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"68⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4512 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB9BB.bat69⤵PID:4488
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"70⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2148 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBA57.bat71⤵PID:1136
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"72⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4516 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBAE4.bat73⤵
- System Location Discovery: System Language Discovery
PID:5784 -
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"74⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:980 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBB70.bat75⤵PID:4416
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"76⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBBCE.bat77⤵PID:4712
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"78⤵
- Executes dropped EXE
PID:4860 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBC1C.bat79⤵PID:4688
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"80⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5428 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBC6A.bat81⤵PID:1408
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"82⤵
- Executes dropped EXE
PID:4916 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBCA9.bat83⤵PID:5960
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"84⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1624 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBCF7.bat85⤵PID:3084
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"86⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2908 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBD64.bat87⤵PID:2708
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"88⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:6052 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBDB2.bat89⤵
- System Location Discovery: System Language Discovery
PID:1076 -
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"90⤵
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBE00.bat91⤵PID:3776
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"92⤵
- Executes dropped EXE
PID:3224 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBE7D.bat93⤵PID:3208
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"94⤵
- Executes dropped EXE
PID:3644 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBECC.bat95⤵PID:656
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"96⤵
- Executes dropped EXE
PID:5332 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBF39.bat97⤵
- System Location Discovery: System Language Discovery
PID:4544 -
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"98⤵
- Executes dropped EXE
PID:5420 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBF97.bat99⤵PID:4576
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"100⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBFF4.bat101⤵PID:3380
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"102⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2384 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC062.bat103⤵PID:5392
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"104⤵
- Executes dropped EXE
PID:376 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC0B0.bat105⤵
- System Location Discovery: System Language Discovery
PID:2400 -
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"106⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:6064 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC0FE.bat107⤵PID:2248
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"108⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:432 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC16B.bat109⤵PID:1656
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"110⤵
- Executes dropped EXE
PID:5736 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC1BA.bat111⤵PID:5520
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"112⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4228 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC227.bat113⤵PID:4060
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"114⤵
- Executes dropped EXE
PID:5888 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC285.bat115⤵
- System Location Discovery: System Language Discovery
PID:4168 -
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"116⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2556 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC2D3.bat117⤵PID:1576
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"118⤵
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC321.bat119⤵PID:6068
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"120⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:6060 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC39E.bat121⤵PID:1792
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"122⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4348
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-