Analysis
-
max time kernel
150s -
max time network
105s -
platform
windows11-21h2_x64 -
resource
win11-20250610-en -
resource tags
arch:x64arch:x86image:win11-20250610-enlocale:en-usos:windows11-21h2-x64system -
submitted
04/07/2025, 18:34
Static task
static1
Behavioral task
behavioral1
Sample
61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe
Resource
win10v2004-20250502-en
General
-
Target
61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe
-
Size
5.4MB
-
MD5
fade7234a6a4ae7e457219650c59a647
-
SHA1
59980382e5fbb6b27969b058141c34aca097958e
-
SHA256
61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627
-
SHA512
8d478bf39629d2df64c1c690e8777acd752e0da20aea7917637e920f06baeedb1324326256367c48d1119890aa09b040096830094c4a29da12b61b09e0d730b8
-
SSDEEP
98304:iLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLW:0jJ4
Malware Config
Signatures
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe -
Executes dropped EXE 64 IoCs
pid Process 3596 Logo1_.exe 6036 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 5808 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 5576 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 4960 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 2348 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 4204 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 4852 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 4080 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 2008 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 1620 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 5864 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 5132 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 716 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 1160 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 3128 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 4488 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 6048 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 3380 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 5964 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 2276 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 4876 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 3612 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 4932 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 3980 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 3844 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 3476 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 4692 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 2444 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 4300 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 3036 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 1512 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 5928 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 3388 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 5128 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 2056 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 1384 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 3348 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 6076 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 360 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 3260 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 2276 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 3592 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 6088 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 5624 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 700 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 4976 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 628 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 5828 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 3572 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 1684 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 3508 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 2152 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 2076 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 240 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 5912 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 1000 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 4672 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 6060 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 4944 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 4628 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 2992 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 4212 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 772 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\de-de\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\it-it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\en-il\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\co\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nb-no\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\root\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\ja-jp\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\sv-se\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\Addons\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-tw\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\tr-tr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\cs-cz\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\zh-tw\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ko-kr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\ResiliencyLinks\edge_feedback\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\MSBuild\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Defender\en-US\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nl-nl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\eu-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows NT\TableTextService\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\es-ES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\fi-fi\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-fr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sv-se\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\hu-hu\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\ResiliencyLinks\MEIPreload\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ar\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\nn\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Photo Viewer\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\images\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\16\BIN\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\eu-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\hu-hu\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\zh_TW\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\it\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\tr-tr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\en-il\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\da-dk\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fr-ma\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\PdfPreview\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\host\fxr\6.0.27\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ru\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\eu-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ko-kr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ru-ru\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\themes\dark\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-il\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fi-fi\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\nb-no\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\ResiliencyLinks\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\ResiliencyLinks\identity_proxy\_desktop.ini Logo1_.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Dll.dll Logo1_.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe File created C:\Windows\Logo1_.exe 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Logo1_.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 62 IoCs
pid Process 1796 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 1796 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 1796 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 1796 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 1796 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 1796 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 1796 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 1796 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 1796 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 1796 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 1796 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 1796 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 1796 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 1796 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 1796 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 1796 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 1796 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 1796 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 3596 Logo1_.exe 3596 Logo1_.exe 3596 Logo1_.exe 3596 Logo1_.exe 3596 Logo1_.exe 3596 Logo1_.exe 3596 Logo1_.exe 3596 Logo1_.exe 3596 Logo1_.exe 3596 Logo1_.exe 3596 Logo1_.exe 3596 Logo1_.exe 3596 Logo1_.exe 3596 Logo1_.exe 3596 Logo1_.exe 3596 Logo1_.exe 3596 Logo1_.exe 3596 Logo1_.exe 3596 Logo1_.exe 3596 Logo1_.exe 3596 Logo1_.exe 3596 Logo1_.exe 3596 Logo1_.exe 3596 Logo1_.exe 3596 Logo1_.exe 3596 Logo1_.exe 3596 Logo1_.exe 3596 Logo1_.exe 3596 Logo1_.exe 3596 Logo1_.exe 3596 Logo1_.exe 3596 Logo1_.exe 3596 Logo1_.exe 3596 Logo1_.exe 3596 Logo1_.exe 3596 Logo1_.exe 3596 Logo1_.exe 3596 Logo1_.exe 3596 Logo1_.exe 3596 Logo1_.exe 3596 Logo1_.exe 3596 Logo1_.exe 3596 Logo1_.exe 3596 Logo1_.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1796 wrote to memory of 4812 1796 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 79 PID 1796 wrote to memory of 4812 1796 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 79 PID 1796 wrote to memory of 4812 1796 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 79 PID 1796 wrote to memory of 3596 1796 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 80 PID 1796 wrote to memory of 3596 1796 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 80 PID 1796 wrote to memory of 3596 1796 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 80 PID 3596 wrote to memory of 5748 3596 Logo1_.exe 82 PID 3596 wrote to memory of 5748 3596 Logo1_.exe 82 PID 3596 wrote to memory of 5748 3596 Logo1_.exe 82 PID 5748 wrote to memory of 1988 5748 net.exe 84 PID 5748 wrote to memory of 1988 5748 net.exe 84 PID 5748 wrote to memory of 1988 5748 net.exe 84 PID 4812 wrote to memory of 6036 4812 cmd.exe 85 PID 4812 wrote to memory of 6036 4812 cmd.exe 85 PID 4812 wrote to memory of 6036 4812 cmd.exe 85 PID 6036 wrote to memory of 2992 6036 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 86 PID 6036 wrote to memory of 2992 6036 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 86 PID 6036 wrote to memory of 2992 6036 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 86 PID 2992 wrote to memory of 5808 2992 cmd.exe 88 PID 2992 wrote to memory of 5808 2992 cmd.exe 88 PID 2992 wrote to memory of 5808 2992 cmd.exe 88 PID 5808 wrote to memory of 2400 5808 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 89 PID 5808 wrote to memory of 2400 5808 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 89 PID 5808 wrote to memory of 2400 5808 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 89 PID 2400 wrote to memory of 5576 2400 cmd.exe 91 PID 2400 wrote to memory of 5576 2400 cmd.exe 91 PID 2400 wrote to memory of 5576 2400 cmd.exe 91 PID 5576 wrote to memory of 2688 5576 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 92 PID 5576 wrote to memory of 2688 5576 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 92 PID 5576 wrote to memory of 2688 5576 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 92 PID 2688 wrote to memory of 4960 2688 cmd.exe 94 PID 2688 wrote to memory of 4960 2688 cmd.exe 94 PID 2688 wrote to memory of 4960 2688 cmd.exe 94 PID 4960 wrote to memory of 5000 4960 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 95 PID 4960 wrote to memory of 5000 4960 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 95 PID 4960 wrote to memory of 5000 4960 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 95 PID 3596 wrote to memory of 3316 3596 Logo1_.exe 53 PID 3596 wrote to memory of 3316 3596 Logo1_.exe 53 PID 5000 wrote to memory of 2348 5000 cmd.exe 97 PID 5000 wrote to memory of 2348 5000 cmd.exe 97 PID 5000 wrote to memory of 2348 5000 cmd.exe 97 PID 2348 wrote to memory of 5064 2348 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 98 PID 2348 wrote to memory of 5064 2348 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 98 PID 2348 wrote to memory of 5064 2348 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 98 PID 5064 wrote to memory of 4204 5064 cmd.exe 100 PID 5064 wrote to memory of 4204 5064 cmd.exe 100 PID 5064 wrote to memory of 4204 5064 cmd.exe 100 PID 4204 wrote to memory of 5332 4204 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 101 PID 4204 wrote to memory of 5332 4204 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 101 PID 4204 wrote to memory of 5332 4204 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 101 PID 5332 wrote to memory of 4852 5332 cmd.exe 103 PID 5332 wrote to memory of 4852 5332 cmd.exe 103 PID 5332 wrote to memory of 4852 5332 cmd.exe 103 PID 4852 wrote to memory of 3544 4852 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 104 PID 4852 wrote to memory of 3544 4852 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 104 PID 4852 wrote to memory of 3544 4852 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 104 PID 3544 wrote to memory of 4080 3544 cmd.exe 106 PID 3544 wrote to memory of 4080 3544 cmd.exe 106 PID 3544 wrote to memory of 4080 3544 cmd.exe 106 PID 4080 wrote to memory of 5056 4080 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 107 PID 4080 wrote to memory of 5056 4080 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 107 PID 4080 wrote to memory of 5056 4080 61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe 107 PID 5056 wrote to memory of 2008 5056 cmd.exe 109 PID 5056 wrote to memory of 2008 5056 cmd.exe 109
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3316
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6716.bat3⤵
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:6036 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6830.bat5⤵
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"6⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5808 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a69C6.bat7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5576 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6B1E.bat9⤵
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"10⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6C95.bat11⤵
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6DDD.bat13⤵
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4204 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6F15.bat15⤵
- Suspicious use of WriteProcessMemory
PID:5332 -
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"16⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a705D.bat17⤵
- Suspicious use of WriteProcessMemory
PID:3544 -
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a71B5.bat19⤵
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"20⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a72EE.bat21⤵PID:2044
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"22⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7407.bat23⤵PID:2052
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"24⤵
- Executes dropped EXE
PID:5864 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a753F.bat25⤵PID:5836
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"26⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5132 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7668.bat27⤵
- System Location Discovery: System Language Discovery
PID:3848 -
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"28⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:716 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a77B0.bat29⤵PID:5348
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1160 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7995.bat31⤵
- System Location Discovery: System Language Discovery
PID:5460 -
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"32⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3128 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a79E3.bat33⤵PID:3060
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"34⤵
- Executes dropped EXE
PID:4488 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7B1B.bat35⤵PID:2844
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"36⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:6048 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7C44.bat37⤵
- System Location Discovery: System Language Discovery
PID:244 -
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"38⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3380 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7D5E.bat39⤵
- System Location Discovery: System Language Discovery
PID:1376 -
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"40⤵
- Executes dropped EXE
PID:5964 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7E86.bat41⤵
- System Location Discovery: System Language Discovery
PID:6132 -
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"42⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7FBF.bat43⤵PID:3332
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"44⤵
- Executes dropped EXE
PID:4876 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8136.bat45⤵PID:5520
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"46⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3612 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8194.bat47⤵PID:5820
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"48⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4932 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a81F1.bat49⤵PID:2604
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"50⤵
- Executes dropped EXE
PID:3980 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8240.bat51⤵PID:5228
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3844 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a829D.bat53⤵PID:572
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"54⤵
- Executes dropped EXE
PID:3476 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a831A.bat55⤵PID:112
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"56⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4692 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8388.bat57⤵PID:5636
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"58⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8405.bat59⤵
- System Location Discovery: System Language Discovery
PID:2364 -
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"60⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4300 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8453.bat61⤵PID:4356
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"62⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a84A1.bat63⤵
- System Location Discovery: System Language Discovery
PID:2728 -
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"64⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a84DF.bat65⤵PID:4700
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"66⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5928 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a857C.bat67⤵
- System Location Discovery: System Language Discovery
PID:5008 -
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"68⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3388 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8628.bat69⤵PID:1328
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"70⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5128 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a86D3.bat71⤵PID:244
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV172⤵PID:5964
-
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"72⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a878F.bat73⤵PID:5944
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"74⤵
- Executes dropped EXE
PID:1384 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8889.bat75⤵PID:5324
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"76⤵
- Executes dropped EXE
PID:3348 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a89B2.bat77⤵PID:2296
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV178⤵PID:2056
-
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"78⤵
- Executes dropped EXE
PID:6076 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8ACB.bat79⤵PID:5700
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"80⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:360 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8B38.bat81⤵
- System Location Discovery: System Language Discovery
PID:5904 -
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"82⤵
- Executes dropped EXE
PID:3260 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8B87.bat83⤵PID:680
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"84⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8BF4.bat85⤵PID:3968
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"86⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3592 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8C42.bat87⤵PID:5484
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"88⤵
- Executes dropped EXE
PID:6088 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8CCF.bat89⤵PID:3312
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"90⤵
- Executes dropped EXE
PID:5624 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8D1D.bat91⤵PID:4952
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"92⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:700 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8D7B.bat93⤵PID:2920
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"94⤵
- Executes dropped EXE
PID:4976 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8DC9.bat95⤵PID:992
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"96⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:628 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8E26.bat97⤵PID:1276
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"98⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5828 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8EE2.bat99⤵PID:5656
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"100⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3572 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a90C6.bat101⤵PID:440
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"102⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1684 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a91C0.bat103⤵PID:5256
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"104⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3508 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a93D4.bat105⤵PID:5140
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"106⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a948F.bat107⤵
- System Location Discovery: System Language Discovery
PID:2100 -
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"108⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a954B.bat109⤵PID:3704
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"110⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:240 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9616.bat111⤵PID:3692
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"112⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5912 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a96D1.bat113⤵PID:3256
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"114⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1000 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a975E.bat115⤵PID:2316
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"116⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4672 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9829.bat117⤵PID:5836
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"118⤵
- Executes dropped EXE
PID:6060 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9904.bat119⤵PID:6032
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"120⤵
- Executes dropped EXE
PID:4944 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a99BF.bat121⤵PID:5880
-
C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"C:\Users\Admin\AppData\Local\Temp\61322bc4339ae13d9d054fc6f7e1c57194570269ef740b7da9fa361c77843627.exe"122⤵
- Executes dropped EXE
PID:4628
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-