Analysis
-
max time kernel
149s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20250610-en -
resource tags
arch:x64arch:x86image:win10v2004-20250610-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2025, 18:36
Static task
static1
General
-
Target
e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe
-
Size
2.6MB
-
MD5
8724208f4c41a4df0206edbb86119e1e
-
SHA1
7e05a60f88222f4dab3eb2e4ff065479071ec6e0
-
SHA256
e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372
-
SHA512
e231fd620aca11f10d1505ac556f58e7ea4eb313b7384f5e3323c3ab245ef44fa98bff9f019074fecfd011339b047505a0bbfa41fa1f440fe1e60f3d106c1730
-
SSDEEP
49152:iLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLd:iLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLd
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 3064 Logo1_.exe 5864 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 1956 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 3636 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 4644 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 5832 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 4708 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 4904 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 4692 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 2980 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 5952 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 2388 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 4208 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 5000 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 5112 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 760 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 2392 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 2500 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 1668 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 2824 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 1152 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 2736 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 4340 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 3628 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 5924 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 5976 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 3980 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 4532 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 1600 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 4356 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 4604 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 4108 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 4912 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 4832 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 4696 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 3256 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 5952 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 5636 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 2144 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 6000 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 5532 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 1724 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 1904 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 2256 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 5680 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 4360 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 3704 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 624 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 4084 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 5376 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 4092 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 3612 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 4396 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 4604 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 5336 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 2988 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 2684 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 212 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 4388 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 180 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 5292 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 3748 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 1640 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 1020 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Windows Defender\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hr-hr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\pt-br\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Media Player\es-ES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\de-de\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ko-kr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\zh-cn\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\da-dk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\fr-ma\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ko-kr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ar-ae\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hr-hr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\nl-nl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\DESIGNER\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\packetizer\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-fr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ja-jp\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pl-pl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sl-sl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Media Player\Media Renderer\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\plugins\rhp\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files-select\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\nl-nl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Media Player\Network Sharing\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\es-es\_desktop.ini Logo1_.exe File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\PrivacySandboxAttestationsPreloaded\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hr-hr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\uk-ua\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\nl-nl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\61CBB2EE-940A-4E67-80FB-1509B77AA286\root\vfs\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\br\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\it-it\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows NT\Accessories\en-US\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\lua\http\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\ja-jp\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\nb-no\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad\_desktop.ini Logo1_.exe File created C:\Program Files\edge_BITS_4736_1827048842\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\de\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-si\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sv-se\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\cs-cz\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-gb\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\nl-nl\_desktop.ini Logo1_.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\Logo1_.exe e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe File created C:\Windows\Logo1_.exe e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe File created C:\Windows\Logo1_.exe e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe File created C:\Windows\Logo1_.exe e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe File created C:\Windows\Logo1_.exe e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe File created C:\Windows\Logo1_.exe e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe File created C:\Windows\Logo1_.exe e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe File created C:\Windows\Logo1_.exe e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe File created C:\Windows\Logo1_.exe e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe File created C:\Windows\Logo1_.exe e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe File created C:\Windows\Logo1_.exe e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe File created C:\Windows\Logo1_.exe e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe File created C:\Windows\Logo1_.exe e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe File created C:\Windows\Logo1_.exe e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe File created C:\Windows\Logo1_.exe e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe File created C:\Windows\Logo1_.exe e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe File created C:\Windows\Logo1_.exe e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe File created C:\Windows\Logo1_.exe e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe File created C:\Windows\Logo1_.exe e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe File created C:\Windows\Logo1_.exe e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe File created C:\Windows\Logo1_.exe e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe File created C:\Windows\Logo1_.exe e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe File created C:\Windows\Logo1_.exe e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe File created C:\Windows\Logo1_.exe e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe File created C:\Windows\Logo1_.exe e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe File created C:\Windows\Logo1_.exe e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe File created C:\Windows\Logo1_.exe e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe File created C:\Windows\Logo1_.exe e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe File created C:\Windows\Logo1_.exe e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe File created C:\Windows\Logo1_.exe e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe File created C:\Windows\Logo1_.exe e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe File created C:\Windows\Logo1_.exe e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe File created C:\Windows\Logo1_.exe e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe File created C:\Windows\Logo1_.exe e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe File created C:\Windows\Logo1_.exe e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe File created C:\Windows\Logo1_.exe e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe File created C:\Windows\Logo1_.exe e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe File created C:\Windows\Logo1_.exe e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe File created C:\Windows\Logo1_.exe e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe File created C:\Windows\Logo1_.exe e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe File created C:\Windows\Logo1_.exe e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe File created C:\Windows\Logo1_.exe e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe File created C:\Windows\Logo1_.exe e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe File created C:\Windows\Logo1_.exe e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe File created C:\Windows\Logo1_.exe e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe File created C:\Windows\Logo1_.exe e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe File created C:\Windows\Logo1_.exe e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\Logo1_.exe e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe File created C:\Windows\Logo1_.exe e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe File created C:\Windows\Logo1_.exe e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe File created C:\Windows\Logo1_.exe e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe File created C:\Windows\Logo1_.exe e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe File created C:\Windows\Logo1_.exe e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe File created C:\Windows\Logo1_.exe e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe File created C:\Windows\Dll.dll Logo1_.exe File created C:\Windows\Logo1_.exe e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe File created C:\Windows\Logo1_.exe e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe File created C:\Windows\Logo1_.exe e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe File created C:\Windows\Logo1_.exe e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe File created C:\Windows\Logo1_.exe e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe File created C:\Windows\Logo1_.exe e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe File created C:\Windows\Logo1_.exe e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe File created C:\Windows\Logo1_.exe e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Logo1_.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 62 IoCs
pid Process 5552 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 5552 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 5552 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 5552 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 5552 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 5552 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 5552 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 5552 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 5552 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 5552 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 5552 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 5552 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 5552 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 5552 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 5552 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 5552 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 5552 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 5552 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 3064 Logo1_.exe 3064 Logo1_.exe 3064 Logo1_.exe 3064 Logo1_.exe 3064 Logo1_.exe 3064 Logo1_.exe 3064 Logo1_.exe 3064 Logo1_.exe 3064 Logo1_.exe 3064 Logo1_.exe 3064 Logo1_.exe 3064 Logo1_.exe 3064 Logo1_.exe 3064 Logo1_.exe 3064 Logo1_.exe 3064 Logo1_.exe 3064 Logo1_.exe 3064 Logo1_.exe 3064 Logo1_.exe 3064 Logo1_.exe 3064 Logo1_.exe 3064 Logo1_.exe 3064 Logo1_.exe 3064 Logo1_.exe 3064 Logo1_.exe 3064 Logo1_.exe 3064 Logo1_.exe 3064 Logo1_.exe 3064 Logo1_.exe 3064 Logo1_.exe 3064 Logo1_.exe 3064 Logo1_.exe 3064 Logo1_.exe 3064 Logo1_.exe 3064 Logo1_.exe 3064 Logo1_.exe 3064 Logo1_.exe 3064 Logo1_.exe 3064 Logo1_.exe 3064 Logo1_.exe 3064 Logo1_.exe 3064 Logo1_.exe 3064 Logo1_.exe 3064 Logo1_.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5552 wrote to memory of 3640 5552 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 85 PID 5552 wrote to memory of 3640 5552 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 85 PID 5552 wrote to memory of 3640 5552 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 85 PID 5552 wrote to memory of 3064 5552 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 86 PID 5552 wrote to memory of 3064 5552 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 86 PID 5552 wrote to memory of 3064 5552 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 86 PID 3064 wrote to memory of 1996 3064 Logo1_.exe 88 PID 3064 wrote to memory of 1996 3064 Logo1_.exe 88 PID 3064 wrote to memory of 1996 3064 Logo1_.exe 88 PID 1996 wrote to memory of 5548 1996 net.exe 90 PID 1996 wrote to memory of 5548 1996 net.exe 90 PID 1996 wrote to memory of 5548 1996 net.exe 90 PID 3640 wrote to memory of 5864 3640 cmd.exe 91 PID 3640 wrote to memory of 5864 3640 cmd.exe 91 PID 3640 wrote to memory of 5864 3640 cmd.exe 91 PID 5864 wrote to memory of 2228 5864 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 92 PID 5864 wrote to memory of 2228 5864 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 92 PID 5864 wrote to memory of 2228 5864 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 92 PID 2228 wrote to memory of 1956 2228 cmd.exe 94 PID 2228 wrote to memory of 1956 2228 cmd.exe 94 PID 2228 wrote to memory of 1956 2228 cmd.exe 94 PID 1956 wrote to memory of 4416 1956 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 95 PID 1956 wrote to memory of 4416 1956 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 95 PID 1956 wrote to memory of 4416 1956 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 95 PID 4416 wrote to memory of 3636 4416 cmd.exe 97 PID 4416 wrote to memory of 3636 4416 cmd.exe 97 PID 4416 wrote to memory of 3636 4416 cmd.exe 97 PID 3636 wrote to memory of 4540 3636 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 98 PID 3636 wrote to memory of 4540 3636 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 98 PID 3636 wrote to memory of 4540 3636 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 98 PID 4540 wrote to memory of 4644 4540 cmd.exe 100 PID 4540 wrote to memory of 4644 4540 cmd.exe 100 PID 4540 wrote to memory of 4644 4540 cmd.exe 100 PID 4644 wrote to memory of 4572 4644 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 101 PID 4644 wrote to memory of 4572 4644 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 101 PID 4644 wrote to memory of 4572 4644 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 101 PID 4572 wrote to memory of 5832 4572 cmd.exe 103 PID 4572 wrote to memory of 5832 4572 cmd.exe 103 PID 4572 wrote to memory of 5832 4572 cmd.exe 103 PID 5832 wrote to memory of 5048 5832 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 104 PID 5832 wrote to memory of 5048 5832 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 104 PID 5832 wrote to memory of 5048 5832 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 104 PID 5048 wrote to memory of 4708 5048 cmd.exe 107 PID 5048 wrote to memory of 4708 5048 cmd.exe 107 PID 5048 wrote to memory of 4708 5048 cmd.exe 107 PID 4708 wrote to memory of 4768 4708 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 108 PID 4708 wrote to memory of 4768 4708 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 108 PID 4708 wrote to memory of 4768 4708 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 108 PID 3064 wrote to memory of 3424 3064 Logo1_.exe 54 PID 3064 wrote to memory of 3424 3064 Logo1_.exe 54 PID 4768 wrote to memory of 4904 4768 cmd.exe 111 PID 4768 wrote to memory of 4904 4768 cmd.exe 111 PID 4768 wrote to memory of 4904 4768 cmd.exe 111 PID 4904 wrote to memory of 3000 4904 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 112 PID 4904 wrote to memory of 3000 4904 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 112 PID 4904 wrote to memory of 3000 4904 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 112 PID 3000 wrote to memory of 4692 3000 cmd.exe 114 PID 3000 wrote to memory of 4692 3000 cmd.exe 114 PID 3000 wrote to memory of 4692 3000 cmd.exe 114 PID 4692 wrote to memory of 5576 4692 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 115 PID 4692 wrote to memory of 5576 4692 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 115 PID 4692 wrote to memory of 5576 4692 e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe 115 PID 5576 wrote to memory of 2980 5576 cmd.exe 118 PID 5576 wrote to memory of 2980 5576 cmd.exe 118
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3424
-
C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5552 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a32F3.bat3⤵
- Suspicious use of WriteProcessMemory
PID:3640 -
C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5864 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a342C.bat5⤵
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"6⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3545.bat7⤵
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"8⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a35F1.bat9⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"10⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3778.bat11⤵
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"12⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5832 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3833.bat13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"14⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a390E.bat15⤵
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"16⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3A46.bat17⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"18⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3B7F.bat19⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5576 -
C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"20⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2980 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3C0B.bat21⤵
- System Location Discovery: System Language Discovery
PID:1900 -
C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"22⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5952 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3D34.bat23⤵
- System Location Discovery: System Language Discovery
PID:3824 -
C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"24⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2388 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3E2E.bat25⤵
- System Location Discovery: System Language Discovery
PID:4112 -
C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4208 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3F76.bat27⤵PID:208
-
C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"28⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5000 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a40ED.bat29⤵PID:4212
-
C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"30⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5112 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a41E7.bat31⤵PID:2188
-
C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"32⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:760 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a43BC.bat33⤵PID:5964
-
C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"34⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2392 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a442A.bat35⤵
- System Location Discovery: System Language Discovery
PID:2496 -
C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"36⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2500 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4514.bat37⤵PID:4412
-
C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"38⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1668 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a46AA.bat39⤵PID:2880
-
C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"40⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2824 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4727.bat41⤵PID:5464
-
C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"42⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1152 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a47B4.bat43⤵PID:5204
-
C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"44⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2736 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a487F.bat45⤵
- System Location Discovery: System Language Discovery
PID:1612 -
C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"46⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4340 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a491B.bat47⤵PID:4320
-
C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"48⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3628 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4969.bat49⤵
- System Location Discovery: System Language Discovery
PID:4948 -
C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"50⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5924 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a49B7.bat51⤵
- System Location Discovery: System Language Discovery
PID:5824 -
C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"52⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5976 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a49F6.bat53⤵PID:3472
-
C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"54⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3980 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4A44.bat55⤵
- System Location Discovery: System Language Discovery
PID:6104 -
C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"56⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4532 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4A92.bat57⤵
- System Location Discovery: System Language Discovery
PID:5856 -
C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"58⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4AF0.bat59⤵
- System Location Discovery: System Language Discovery
PID:4956 -
C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"60⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4356 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4B2E.bat61⤵
- System Location Discovery: System Language Discovery
PID:2364 -
C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"62⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4604 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4B8C.bat63⤵PID:4760
-
C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"64⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4108 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4BDA.bat65⤵
- System Location Discovery: System Language Discovery
PID:1764 -
C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"66⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4912 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4C19.bat67⤵PID:4772
-
C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"68⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4832 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4C57.bat69⤵PID:5388
-
C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"70⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4696 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4CB5.bat71⤵PID:1740
-
C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"72⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3256 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4D03.bat73⤵
- System Location Discovery: System Language Discovery
PID:1120 -
C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"74⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5952 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4D51.bat75⤵PID:3972
-
C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"76⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5636 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4D9F.bat77⤵
- System Location Discovery: System Language Discovery
PID:4876 -
C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"78⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2144 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4DEE.bat79⤵
- System Location Discovery: System Language Discovery
PID:4388 -
C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"80⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:6000 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4E3C.bat81⤵
- System Location Discovery: System Language Discovery
PID:5000 -
C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"82⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5532 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4E7A.bat83⤵PID:380
-
C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"84⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1724 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4EC8.bat85⤵PID:916
-
C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"86⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1904 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4F07.bat87⤵PID:2452
-
C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"88⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2256 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4F45.bat89⤵PID:5964
-
C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"90⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5680 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4F93.bat91⤵PID:3496
-
C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"92⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4360 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4FE2.bat93⤵PID:840
-
C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"94⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3704 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5030.bat95⤵
- System Location Discovery: System Language Discovery
PID:5012 -
C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"96⤵
- Executes dropped EXE
PID:624 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a50AD.bat97⤵
- System Location Discovery: System Language Discovery
PID:3628 -
C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"98⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4084 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a510A.bat99⤵
- System Location Discovery: System Language Discovery
PID:4484 -
C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"100⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5376 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5197.bat101⤵PID:1196
-
C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"102⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4092 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5224.bat103⤵
- System Location Discovery: System Language Discovery
PID:4468 -
C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"104⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3612 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a52B0.bat105⤵PID:2596
-
C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"106⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4396 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a539B.bat107⤵
- System Location Discovery: System Language Discovery
PID:5556 -
C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"108⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4604 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5466.bat109⤵
- System Location Discovery: System Language Discovery
PID:4556 -
C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"110⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5336 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5531.bat111⤵
- System Location Discovery: System Language Discovery
PID:804 -
C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"112⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a55DD.bat113⤵PID:4948
-
C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"114⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2684 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a565A.bat115⤵PID:3756
-
C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"116⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:212 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a56C7.bat117⤵PID:1752
-
C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"118⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4388 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5725.bat119⤵PID:4624
-
C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"120⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:180 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5773.bat121⤵
- System Location Discovery: System Language Discovery
PID:1724 -
C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"C:\Users\Admin\AppData\Local\Temp\e930b8158741e7932804d37cf2e70dfd4f005da7a8c50fd35424144b63dbd372.exe"122⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5292
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-