96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
14/09/2024, 15:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
Size

2.8MB
MD5

e6c2e04d19d1e3bb6c9328c4818166dd
SHA1

fe820813cf5ffc8b32f727fbd026856e2af665c9
SHA256

96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872
SHA512

c0f594ff2a1120f87518802b39e482e8611dfe371ba0be7fbcd41c5423ec73117e527c6920744f9ce0c673a4f0a44c7324fc8054774613917595557ee9582a04
SSDEEP

12288:vj7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7:/cX

Score

10^/10

discovery evasion persistence spyware stealer

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe

Deletes itself 1 IoCs

pid	Process
2100	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 61 IoCs

pid	Process
2116	Logo1_.exe
2828	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
2884	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
2668	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
2500	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
1248	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
1388	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
2836	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
3060	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
1148	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
1932	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
2448	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
2340	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
2404	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
2716	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
2872	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
2744	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
2780	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
1988	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
1876	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
1080	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
1968	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
1388	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
2084	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
1608	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
2996	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
2188	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
348	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
1112	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
2940	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
2192	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
2916	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
2340	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
2404	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
2864	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
2720	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
2840	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
2896	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
764	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
840	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
1232	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
3008	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
1608	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
2880	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
1348	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
276	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
1268	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
2568	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
560	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
2168	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
1412	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
888	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
2068	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
2360	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
1400	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
2828	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
2648	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
3004	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
2792	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
2700	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
1400	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe

Loads dropped DLL 64 IoCs

pid	Process
2100	cmd.exe
2100	cmd.exe
2744	cmd.exe
2744	cmd.exe
2304	cmd.exe
2304	cmd.exe
2900	cmd.exe
2900	cmd.exe
552	cmd.exe
552	cmd.exe
2376	cmd.exe
2376	cmd.exe
2944	cmd.exe
2944	cmd.exe
2544	cmd.exe
2544	cmd.exe
2984	cmd.exe
2984	cmd.exe
2016	cmd.exe
2016	cmd.exe
792	cmd.exe
792	cmd.exe
3032	cmd.exe
3032	cmd.exe
2336	cmd.exe
2336	cmd.exe
2704	cmd.exe
2704	cmd.exe
2768	cmd.exe
2768	cmd.exe
2636	cmd.exe
2636	cmd.exe
2612	cmd.exe
2612	cmd.exe
1552	cmd.exe
1552	cmd.exe
840	cmd.exe
840	cmd.exe
1956	cmd.exe
1956	cmd.exe
552	cmd.exe
552	cmd.exe
1840	cmd.exe
1840	cmd.exe
2600	cmd.exe
2600	cmd.exe
2852	cmd.exe
2852	cmd.exe
2232	cmd.exe
2232	cmd.exe
1528	cmd.exe
1528	cmd.exe
2592	cmd.exe
2592	cmd.exe
2020	cmd.exe
2020	cmd.exe
956	cmd.exe
956	cmd.exe
1844	cmd.exe
1844	cmd.exe
2040	cmd.exe
2040	cmd.exe
2408	cmd.exe
2408	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TempCom = "C:\\WINDOWS\\FONTS\\C8C64.com"	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\locale\ach\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ro\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Purble Place\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ps\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ja\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\es_MX\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Internet Explorer\SIGNUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VBA\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft.NET\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Offline\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Hearts\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sw\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Things\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Indiana\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ml\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Solitaire\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\_desktop.ini	Logo1_.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\WINDOWS\FONTS\C8C64.com	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Dll.dll	Logo1_.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File opened for modification	C:\WINDOWS\FONTS\C8C64.com	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\rundl132.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2528	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
2528	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
2528	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
2528	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
2528	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
2528	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
2528	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
2528	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
2528	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
2116	Logo1_.exe
2116	Logo1_.exe
2116	Logo1_.exe
2116	Logo1_.exe
2116	Logo1_.exe
2116	Logo1_.exe
2116	Logo1_.exe
2116	Logo1_.exe
2116	Logo1_.exe
2116	Logo1_.exe
2116	Logo1_.exe
2116	Logo1_.exe
2116	Logo1_.exe
2116	Logo1_.exe
2116	Logo1_.exe
2116	Logo1_.exe
2116	Logo1_.exe
2116	Logo1_.exe
2116	Logo1_.exe
2116	Logo1_.exe
2116	Logo1_.exe
2116	Logo1_.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1400	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 2100	2528	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe	30
PID 2528 wrote to memory of 2100	2528	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe	30
PID 2528 wrote to memory of 2100	2528	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe	30
PID 2528 wrote to memory of 2100	2528	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe	30
PID 2528 wrote to memory of 2116	2528	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe	31
PID 2528 wrote to memory of 2116	2528	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe	31
PID 2528 wrote to memory of 2116	2528	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe	31
PID 2528 wrote to memory of 2116	2528	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe	31
PID 2116 wrote to memory of 2704	2116	Logo1_.exe	33
PID 2116 wrote to memory of 2704	2116	Logo1_.exe	33
PID 2116 wrote to memory of 2704	2116	Logo1_.exe	33
PID 2116 wrote to memory of 2704	2116	Logo1_.exe	33
PID 2704 wrote to memory of 2816	2704	net.exe	35
PID 2704 wrote to memory of 2816	2704	net.exe	35
PID 2704 wrote to memory of 2816	2704	net.exe	35
PID 2704 wrote to memory of 2816	2704	net.exe	35
PID 2100 wrote to memory of 2828	2100	cmd.exe	36
PID 2100 wrote to memory of 2828	2100	cmd.exe	36
PID 2100 wrote to memory of 2828	2100	cmd.exe	36
PID 2100 wrote to memory of 2828	2100	cmd.exe	36
PID 2828 wrote to memory of 2744	2828	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe	37
PID 2828 wrote to memory of 2744	2828	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe	37
PID 2828 wrote to memory of 2744	2828	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe	37
PID 2828 wrote to memory of 2744	2828	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe	37
PID 2744 wrote to memory of 2884	2744	cmd.exe	39
PID 2744 wrote to memory of 2884	2744	cmd.exe	39
PID 2744 wrote to memory of 2884	2744	cmd.exe	39
PID 2744 wrote to memory of 2884	2744	cmd.exe	39
PID 2884 wrote to memory of 2304	2884	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe	40
PID 2884 wrote to memory of 2304	2884	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe	40
PID 2884 wrote to memory of 2304	2884	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe	40
PID 2884 wrote to memory of 2304	2884	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe	40
PID 2304 wrote to memory of 2668	2304	cmd.exe	42
PID 2304 wrote to memory of 2668	2304	cmd.exe	42
PID 2304 wrote to memory of 2668	2304	cmd.exe	42
PID 2304 wrote to memory of 2668	2304	cmd.exe	42
PID 2668 wrote to memory of 2900	2668	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe	43
PID 2668 wrote to memory of 2900	2668	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe	43
PID 2668 wrote to memory of 2900	2668	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe	43
PID 2668 wrote to memory of 2900	2668	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe	43
PID 2900 wrote to memory of 2500	2900	cmd.exe	45
PID 2900 wrote to memory of 2500	2900	cmd.exe	45
PID 2900 wrote to memory of 2500	2900	cmd.exe	45
PID 2900 wrote to memory of 2500	2900	cmd.exe	45
PID 2500 wrote to memory of 552	2500	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe	46
PID 2500 wrote to memory of 552	2500	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe	46
PID 2500 wrote to memory of 552	2500	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe	46
PID 2500 wrote to memory of 552	2500	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe	46
PID 2116 wrote to memory of 1180	2116	Logo1_.exe	21
PID 2116 wrote to memory of 1180	2116	Logo1_.exe	21
PID 552 wrote to memory of 1248	552	cmd.exe	48
PID 552 wrote to memory of 1248	552	cmd.exe	48
PID 552 wrote to memory of 1248	552	cmd.exe	48
PID 552 wrote to memory of 1248	552	cmd.exe	48
PID 1248 wrote to memory of 2376	1248	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe	49
PID 1248 wrote to memory of 2376	1248	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe	49
PID 1248 wrote to memory of 2376	1248	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe	49
PID 1248 wrote to memory of 2376	1248	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe	49
PID 2376 wrote to memory of 1388	2376	cmd.exe	51
PID 2376 wrote to memory of 1388	2376	cmd.exe	51
PID 2376 wrote to memory of 1388	2376	cmd.exe	51
PID 2376 wrote to memory of 1388	2376	cmd.exe	51
PID 1388 wrote to memory of 2944	1388	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe	52
PID 1388 wrote to memory of 2944	1388	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe	52

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1180
- C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
  "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$aC81F.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2100
  - - C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
      "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:2828
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aC9B5.bat
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2744
      - C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aCB2B.bat
        7⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aCC92.bat
        9⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        10⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aCCE0.bat
        11⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        12⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aCF60.bat
        13⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        14⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aD0F5.bat
        15⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        16⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aD23D.bat
        17⤵
        Loads dropped DLL
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        18⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aD394.bat
        19⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        20⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1148
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aD4DC.bat
        21⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        22⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aD5F5.bat
        23⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:792
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        24⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aD73C.bat
        25⤵
        Loads dropped DLL
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        26⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aD8B3.bat
        27⤵
        Loads dropped DLL
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        28⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aD8F1.bat
        29⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        30⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aD94F.bat
        31⤵
        Loads dropped DLL
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        32⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aD98D.bat
        33⤵
        Loads dropped DLL
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        34⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aD9DB.bat
        35⤵
        Loads dropped DLL
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        36⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aDA19.bat
        37⤵
        Loads dropped DLL
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        38⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aDA67.bat
        39⤵
        Loads dropped DLL
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        40⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aDAB5.bat
        41⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        42⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1080
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aDAF4.bat
        43⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        44⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aDB32.bat
        45⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        46⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1388
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aDB71.bat
        47⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        48⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aDBAF.bat
        49⤵
        Loads dropped DLL
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        50⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aDBED.bat
        51⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        52⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aDC1C.bat
        53⤵
        Loads dropped DLL
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        54⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aDC5B.bat
        55⤵
        Loads dropped DLL
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        56⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aDC99.bat
        57⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        58⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aDCE7.bat
        59⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        60⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aDD35.bat
        61⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        62⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aDD73.bat
        63⤵
        Loads dropped DLL
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        64⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aDDC2.bat
        65⤵
        Loads dropped DLL
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        66⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aDE1F.bat
        67⤵
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        68⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aDE6D.bat
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        70⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aDEBB.bat
        71⤵
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        72⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aDEFA.bat
        73⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        74⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aDF48.bat
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        76⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aDF96.bat
        77⤵
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        78⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aDFF3.bat
        79⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        80⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aE051.bat
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        82⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1232
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aE0AE.bat
        83⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        84⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aE11C.bat
        85⤵
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        86⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aE1C7.bat
        87⤵
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        88⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aE2A2.bat
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:664
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        90⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aE35D.bat
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        92⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aE3CA.bat
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        94⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1268
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aE428.bat
        95⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        96⤵
        Executes dropped EXE
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aE476.bat
        97⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        98⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aE4F2.bat
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        100⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aE540.bat
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        102⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aE57F.bat
        103⤵
        
        PID:1248
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        104⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aE5CD.bat
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        106⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aE61B.bat
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        108⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aE659.bat
        109⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        110⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aE6A7.bat
        111⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        112⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aE6F5.bat
        113⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        114⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aE743.bat
        115⤵
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        116⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aE791.bat
        117⤵
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        118⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aE7DF.bat
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        120⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aE87B.bat
        121⤵
        System Location Discovery: System Language Discovery
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        122⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1400
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2116
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2704
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$aC81F.bat

Filesize
722B

MD5
315951d063462f3c70be915272a332dd

SHA1
165bbeb1f780191c4e9ff65437b6c1dcc96cf834

SHA256
4f199c20314bdb6db0a1dbb9a40c38c0265f9c04eb6559246bb2159dacdd376f

SHA512
8bb2c4ce767a93533f9c1c8f537f9f53f519c9d77968c667266d7fb933808339e6b1d5820ece5c276a9ca330da58309fd4455a3d75f2a930b394bb9792766253

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aC9B5.bat

Filesize
722B

MD5
883aa91ef920cafcf3097ab0f9b73d92

SHA1
a1302bbd25a1fe32bf77f0ef412af882640bf81c

SHA256
378bfb1193245ab3688763b490f3a2d7e7d049a03b5fa2c329b4ba27dd4f2857

SHA512
f43561ec8ae10c907aefcdb00a39c8ba0b402793581f55cdb2b114ea8204308944f71574058a6764bd1d49d1294b92e562b999e8aa56ced9cbeeb505d2a99d28

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aCB2B.bat

Filesize
722B

MD5
2852936bd910db537738b70da0672392

SHA1
57c58a7e9a4bb3110c93139a9a003ee45aafaf03

SHA256
34598c1d788b75cd58d127d0bee85eefc7f454913b8c69806b43291ae5824ce6

SHA512
2dd03995712816feba455ec50eb06c47fb15bf9f0f9c9e84b1028c164a7049c29856985adf797f6f570138316de4da98a1c2bea3c25954011ad6e70fd71ed914

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aCC92.bat

Filesize
722B

MD5
603622a66d66ab442e317c703a0c6025

SHA1
db34ea7027b845e33e0983097fbc979ab35992ff

SHA256
a94baa998f024499f11106e87dec2e42dd3521b0907da8d8e02744210fa5c48a

SHA512
f20458e384f576c43ef2ba84588650573ca923aa3de4a56fc3f192d0eaaf5e6e58e24e0a325deab98df99558eae67e7e4b1ee859507ffdc49a927f4be089146c

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aCCE0.bat

Filesize
722B

MD5
6336b0db7d1972d752a1e712888dd691

SHA1
a3c8480e862e1727e02f101436fdbacdee9d8715

SHA256
dc955d9ec4b0727c8a3f12f1b09a7d6a5e581fce067ea3aad46d0207938fb22e

SHA512
fb75e68eb9b974c1cff4ef9ad29916f9020e0f2cecd0b3f244948b9e9d3f1cbe4bd837b8237ff5b814c466d94d42447c853e32d916fb08903f627cfec677f174

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aCF60.bat

Filesize
722B

MD5
43d8d4b2771a5cfcc2658112d98fd51a

SHA1
5cffd0fa607dbdc725c2f762a59bad830a75c3b7

SHA256
a88267711e719da17cd1ea03f461e8002a1b4fab9396154d2d46f76ba9096a65

SHA512
243ce0a509e6769b982c8cedacc88d1277e5dad040c73dd2d70763dc7becd1b7c46f13afeace2ddb944b889a6e11a5917cb40eeac0826337198b5e4811ed03ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aD0F5.bat

Filesize
722B

MD5
78205132bae3db0a58ecb25827d4c27b

SHA1
c71c8e95eec025d8f382c90f1986eef07a07e107

SHA256
01f635753afb02fcf756c2e55917cfe4afd6e7c4fe537d0a78e5ecb02f8c2343

SHA512
c58ab3ee789b954f2702eb8500c89b0e642364f088acf272cf64619441dffc2f587cb7877c866899ab7e66b35a0167a82beae10620f2209d823bccc63b7c5d70

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aD23D.bat

Filesize
722B

MD5
7c699ea1d91808db0d1991b570d705ea

SHA1
21f7cb0c0e1940a20d2b14857cc1c5d182d9f78f

SHA256
80b933bb2fbcdffc6e48ad6739debbf7d1fbee7fe2b350134e3daae0fd08df86

SHA512
9c2507b733dea7dadcf1193b424dd05bfc78af77fb975dd84f391f038a2f90944882ff00e2d2ef2c1d1e70f08d35e02ed95eee18ad5f8ab1619bf994c10e6ffa

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aD394.bat

Filesize
722B

MD5
f4523669ed832bac0870dbbfe56cc031

SHA1
4ec82eb143e966532d0e1217eb7892750d3aedde

SHA256
82ebbaa0e8b408fc11da8d919e51992cb07809286fdaf705b67dcbf663369a38

SHA512
3d95582e66dad8d85b1be169236f3452adf7d89f8c7751b79accba04a40e8413d5a30cba7deb70f6d8c0b9fe34d893d48203402b617ef5eba00aab3ae8190b41

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aD4DC.bat

Filesize
722B

MD5
ee9acaad8b30b93b993aedda55bf0d6a

SHA1
6015da0e2530b7b5757237ccfddf172d6f2f8ef1

SHA256
f102e108a63de712a8247e2850f60adbd817841c67d5f853f7132e90d2474751

SHA512
8f8a4af09aaba11dd07a8250e8bf31d9fc403d1d27319962186d6bb5d4f4eec511ceb79f29d48ad4dc00acc75ac4fa564ecc76c473b9ab95bfa64301ff3e3a87

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aD5F5.bat

Filesize
722B

MD5
8c310f21dab9b46742b7d136aa9c583e

SHA1
7e349adb5a5ce42e345a0d906248fae391cbf6c5

SHA256
7eb54f4f5f26779163bdcd4ced7173970d540fe0d08a25d8bcfdf709abbf8bdf

SHA512
f76959e3a8d346a3d705b81bc7085b784abbae44af5f51b781be88bedc6dfd5c3c25fcf1740e8c6d59d0d6600ad57f98fe45527d31a98c13b27e26073c1296af

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aD73C.bat

Filesize
722B

MD5
2754559f036da9680dd298a360e1f7ea

SHA1
5b25fbdbd66993e513b22f8c7aace374d20899d3

SHA256
9491bba248b568514c9921396553d581bda0804572d2d08193ef962348060bb4

SHA512
b51e494b6c000429be6ed8898823fde140955ec92c9c24bf66aacf44ab22c00a2b2960e65b6d5187ea909ab7dfce2b1bc6e6f7cef632a9c403f32c3e50e3a26e

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aD8B3.bat

Filesize
722B

MD5
099ec7e142d1ff7055f62b1c1f1b3335

SHA1
5f9efb24eb5fa0ad2f3fcaeeebba840fdf520569

SHA256
0713fbd88ec0ec4be48defd3758e1aabb6ab5a4413ede3933aab37d8853bf6a2

SHA512
47ef1f9fa66e449956a4191a6e6f11ddf2c5873e210b64b37bfb9016c3505259a78e1b61ea9e9a2cf75b00af9d924c1ca6c46ecd7b51ecab1f72cc464bedd307

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aD8F1.bat

Filesize
722B

MD5
93d600595d0e0f2a6e5d404f6b7e86b2

SHA1
c80c13d00b485aa97ed9626b3ea8d10b7e817d93

SHA256
48923e65e41d693d58668dc3af12a582843ff026bc1c84649a0359751e0081f7

SHA512
d84d75c41e9613af345fff0cc505e1434846a57db3de7c1713d43fad7a4e7671b39127d8f57126dad7c0e7c832d921cd7fd93f96275d3a18ac479b6aa473528a

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aD94F.bat

Filesize
722B

MD5
38d392f64e56d5ab3255f741e7156459

SHA1
510bb5a4932e6bb3d1152289b41a140be6f39bee

SHA256
4e27dc0f9686cc458d06fd0fd730e634649eb214ad4ab79d7f60ca765018ae58

SHA512
5c7072c1966515ef833b9e327315b39f4daccfc3e3df5517f69b12b76341efe16765082bc6bc109dc33725c7341869dd982d406e640115ca9227a6bc50c49c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aD98D.bat

Filesize
722B

MD5
55c2d499fc4631462ceda78fd52bd2f7

SHA1
a44d5127ec593f4b314eaa555283126f9756f382

SHA256
6fd1aafb11eca21886bc8e49de872dcb5bc38ac5c9fabb1044a7586fde0375be

SHA512
ff35a5e3a972a5b92f7dd43c9e483d9431b517595c7e2a4db4093ee1c7425bc9aa754f6d873ae21ae2731737bf2db0eeb481d3a486c1c598d0a2bbbab987706d

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aD9DB.bat

Filesize
722B

MD5
d6a317370bb01dc52bd32a0fc7c2e09c

SHA1
769a434386a8a0be13eee4861ee5ca3a185a76b1

SHA256
6884d99689a22deb7d271958cc4855acf32bcd67c234df535a5a503f7c94e0f7

SHA512
3a8198ea873bfcb4d31272ac079d57aae09c8760055fb4fcb7789ad580bdb6337013f6a22d3418779fbb3de4ad0bacca0fce53bbf6d88014742f0a2f7cc26d34

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aDA19.bat

Filesize
722B

MD5
7f9c490bb2add9f890b26b014ad3b551

SHA1
aec139b28f99fd4072eaedac634801fd97e36054

SHA256
56596cfde712b8d512cf0f62c51be3205c175a61038b6dfaed657b4c30b61036

SHA512
cc72515b6dd5c3bb2a54231f67630c7f2549963cca0514d7aa004c57a28feee28a37cc9ae7616160325079bd82559ad10bf08f5eab7b79aa9b91374009cbb441

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aDA67.bat

Filesize
722B

MD5
8096c77b4235a9469d50055729d812f0

SHA1
0f997944e07a3c02e5513fb489489b19de5d727d

SHA256
bfe89218a7d755e5d14168b5e5e6ec57c1b0e0f55ac6ad5ca3bba97725e28733

SHA512
98d1faf8e48f61c9f4e4bb6ac34698024ce6bb01a060b79863c8253fcd81419528453c342b93c0df452d4ae073a85ab59096cb7c7a4d1a00bb275f31fac54801

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aDAB5.bat

Filesize
722B

MD5
216e237d7ce2239565af9e0fc55b8d8e

SHA1
e6a1e000db0eee4fc715a266ef8c5a285ed68b81

SHA256
3114dd9a2d30f113e763e90529ce9072c724b7d0a933848ff2a30d828adf40d6

SHA512
db0cb43cffd99d44a4230f4547bd0aadb4c219a5576182dfb0f15184332aa8d3a6ccc0af701b53349e7d5987a8e5f70690af706c1e0a009b7fcbf2406281fdda

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aDAF4.bat

Filesize
722B

MD5
8dc493a2c6296c792a4fc914bec4fb0e

SHA1
9e53ad9d001dad51bff363c96b8f2654a35f98ac

SHA256
c90d98062849910b2b365a2923f07ec967cbcd3a3d03aa38f38035ac6300c95a

SHA512
9717b3fb3d0c0243f34bc9474571571dad874f6c635c4842ce4a1213b44650bb50b23c3a1e2ad511a41a29f99e9c47d609663cf8e7a6162519a7ff822e6e5a70

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aDB32.bat

Filesize
722B

MD5
cbff9297fab730a920ff4a2bd0461077

SHA1
0502ba72b5a1ef49ebb7afd16fe72386d2592f88

SHA256
2a2ce2fb5d32d2e797babaf75a4b18a7030975f4fe4daa94b064429b05a91c4c

SHA512
5feb205706b0f3e31075fbb6744cfa5c81bf937f9d648779946061132d5c798986095e222c6e25829194b27e1b91ed21b37c837851aed15fce35ab456217b516

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aDB71.bat

Filesize
722B

MD5
c01e1e1ac37882f6d605320b6aee4257

SHA1
35158d08337aedc7a89ffeab4430f4d3ccb59fdb

SHA256
1e33658477f2623f9ece16fddd8caad84fa85b1217670ca309deabd7b6ad767a

SHA512
dfd095b5e7551e8982e2016b5418e82813fe20d782c42319fe8ff52687d43bd650b4e0441499f3a29010606f6a646567ce482a5c97378bd58cb6cef7bd95e569

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aDBAF.bat

Filesize
722B

MD5
893d083376eadfb0886515979544e56e

SHA1
80e45d6d3f87caacf8f2957038b58a7f7536ce4b

SHA256
415a4dfeb99b7b94ecf97829167ab6aa43b7bebb2af07014bc9e8e496cf882b9

SHA512
9222204c4ba83bc283570cc2a1e8022db7265185e0c698477cbeb37df778727c4df0a6b94cec12422ead7111007cac625946bc4f211ad69be77c087e21a3bbd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aDBED.bat

Filesize
722B

MD5
058f556054130d724a49e35e7ad4fb40

SHA1
1f54a356217003ed04cfa3d370cc9bad92832bb9

SHA256
3af7515a2cf65c4220a06fd9dfd377fa4955c31110067b820f8d401d11d6ba35

SHA512
8342aa0b52933000ffd12d69d0f7fd963faa8399aab77379ad1891f7515d996ff1a6279d0584e3dba14a4d9bc792dfdc6c41d83e5bc034f7d7eee56f05c4f010

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aDC1C.bat

Filesize
722B

MD5
f6047af0a99a306de422bb0e72a9f0bc

SHA1
2e1bf72bd012ca986a848ed847978e9ba1a87650

SHA256
e1690f0a8482f4964008c47c4d6e3101106c6f84c1e8e4d0e15eee9fd30728ba

SHA512
d7a6c3c3b3e4e54a90ef4fd4ac7bca650b89765766c509b53dfcb2c4cdd8fbc13af256c5e97b4fd17167af9c202accaea457ff745455f10628a89d702ddef9a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aDC5B.bat

Filesize
722B

MD5
9db8f7a21987aad919758495f5dee6cb

SHA1
ce1f5091f08f2bbb4a74b43bbff3554956fb0c22

SHA256
e55977f16cbb13d8f9cd836e869f8ed331a2668bef461f88bfa26a4124ebb9fe

SHA512
fa6a37c8882d98bdb0bf8c371c46ba1ed7f022a0a783c4e4324a90c67a7859f85bde53ee4e8f1eb8950dfc7cd46e6865c56c98f74ef0c8736ab66f83dbc50ffa

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aDC99.bat

Filesize
722B

MD5
4884d7d805156765d1848c1908d33e29

SHA1
e4f5cef85f98a3855c0b33649628b6e49699ea8c

SHA256
24b74e68927d851bbf45dd63d4fb146375640de1de995ee483ab852276c7ceec

SHA512
3ff3830c0877f3a91b4d672377a976ab23176c8a742b2cae31dad54a21ef809e470b1d9c7543cb7497f80ceef5ed43894589733687eff12a26653b562b2c001a

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aDCE7.bat

Filesize
722B

MD5
395f34a88fb5dcfdd193765e2039f888

SHA1
4b56a5583ee798c2593d8cbdfac00d616e4b7ff2

SHA256
76d73ed31f957e8b7495caaabe485f113d29a13731a72c2496aee0ab5251a7e2

SHA512
ad8e3c532456feb0dc8d574fad91952014558ab8f8f6d2fb98d40e6d2e4b912fb79554d7d1dfdc169a4fab8ae4b67b3c78c898bd1e990fa74a602c7367c656a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aDD35.bat

Filesize
722B

MD5
487f6e0549e1704d2b0fd13a8ebe8a7e

SHA1
b2e25bc6533deaff6241e0f4d78cc238f0e8426a

SHA256
a059f87f739a72fcae1fd8d105861b54e3ecd48fb2995f6c141bd4fea0e4f1a8

SHA512
0ed07900a9bc75c2790880bd7a8d181d7d3c03a3c4df00aa5edd32b388334062e9a5e3c0edde0f4eca44926c775163f9b8bf8a561088f5b1a7fc11163c7b6ff3

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aDD73.bat

Filesize
722B

MD5
486de2aee59177e18384acb28b368ffb

SHA1
75c945d2cd9e3bc45f151c847af4f12c5236b3d7

SHA256
cdbc46baa418fddb24b6ebf5a558b0244c5d86c011864a3380e44064e630b966

SHA512
6f21edffe2393fa832250c60a2221bdba0687877a7e187f52ce1d640e197bd99d915bf54c9e9f348c41df69bc83f7ef401015124aabb83660ead1cb703aca291

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aDDC2.bat

Filesize
722B

MD5
d042069717549893e83f4ebede9f3de7

SHA1
48dae1f3a5209f8eaad6b8b4ee1f08e2286501c2

SHA256
6cef260d72c42955a75edb5ea80d2a0724a8969fbfaff23ffbae8b6b90c59c11

SHA512
901fd24b747944a885680023f463dc0899b389fb8c8ccbab6c748d8aa9e506cc678c1c24bee6518254d174b888feba195e3c27e5fa96cad9add0b099113e866d

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aDE1F.bat

Filesize
722B

MD5
e23cdff66741de434c324e48736c19df

SHA1
ba70ccf378ce6d999faa4b7bdbae9cb7265ef609

SHA256
0041a4f0f10c1d798ebdb06dcf5946f0332e1ce01b6a70caf5d928e20a418566

SHA512
38390a44daac0a2bd28eadc15f51e2e9d3bee51095459ea68626f82a9979617bca3c369e712e10b23f3929d4a00ff975b0e7c336c21cdac5c4e340f143495128

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aDE6D.bat

Filesize
722B

MD5
231f0ec58894c3a182a8c6d25615527d

SHA1
36cf07338c1638253faf5d1db7e12cc737b9cf83

SHA256
2db4626d7e0688aa3fab6a70e4d5fa0f52bdc4cb3fe2224e9c534b2dc9c65cdc

SHA512
d0289df5604564b939916260b4747344f7b1fcd0e6412b2a415424c5f2591244bae54f80a200a56aa17a609ca8e84023b8b404268f59dfb20b61bae165df7a78

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aDEBB.bat

Filesize
722B

MD5
8af2bbc743739cf460f80c58b3981ac9

SHA1
568a07d0b99cd47bdfd2c28579179810db2d7eeb

SHA256
d1016998aef72b2deaec1f395c16c2d7b404b03b0a6161eeb74591548924f353

SHA512
c26313b442c55e60c60a9f5462bdbeabbd97e338e2f363ec73d836ffbb870333275c82e835f9c90cf5f0641506e0cd6669446f58988f674b1454a355dd018f52

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aDEFA.bat

Filesize
722B

MD5
ddb61f11396f318e96c9dda09b8750ef

SHA1
f29ad61c01d7cef351b3414e123a547bc4314d9d

SHA256
0b492a59944593419af0c9311c525e8b837e9c35b783354a1c728e2cdc63754c

SHA512
cea38ce38de7bec74bacdc36c65d414edf4dcf9094a593ec4f7505328dc5e19eefe68388c20fe6f79e4ede4218d03415fd7dca9c3246910ba5fdb60bc34f8c0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aDF48.bat

Filesize
722B

MD5
187d93028675b8717faf233cddf91ba9

SHA1
2d53235d5f261165abf37275909161c1838fae04

SHA256
0842eba73512c366408a7772d85be2a2732434040b76ecfed8dae07bcff7231d

SHA512
646c914ee363f3da3d4a424ac59a478c6bc096aa51c4cd38a6d118c5e187c8c9570a2df3f71987c97b7da614c35923c520dcb705ae81bf5f86538392a8e83ce1

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aDF96.bat

Filesize
722B

MD5
d91934e473ac33d856aa76df6a3be789

SHA1
fa6ba4939e072c0d9c97f3bfa5e539fe4cb6fa46

SHA256
72ea01847374d45d91e31ff27ae74259f37573e10939f9e63bc914c32c00565f

SHA512
75472be0144d6deb1594837219457c1de927c25afdc11fa8c4ac70daf67de942873c9e780884765713a1605ba006d5357557d628e655446d230f369a5062904b

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aDFF3.bat

Filesize
722B

MD5
e76504317297631175b5e296182ed8d2

SHA1
827e2c4938a276169676009a8e51e80e77a9c29e

SHA256
d1be731a992246f9df5093ff4524e7748ac446a35a9cb4532fa9a05aa0e9bc14

SHA512
44f53b5151379fee556688122f7cd4103b57c3cfc44635fd97b2e150f39c5aa908254d46dafe5ff1741d3ac8b0ce48d3c78396f1d4e167c066f43b2ca0d2f7ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aE051.bat

Filesize
722B

MD5
c98ef444592b427212e231839a329f31

SHA1
defd93cd673b4f8232c76f96eae1f07bd9536364

SHA256
9c1ee1d7121ac60c0de84d519673cfe528e77e86ae08366a97e06e9922b1ff36

SHA512
88b672b517f0f6737b77e0ba399642ff94736939df529cd1b55129323676bbe86ef0ab7ae6cbab6ff79b7760d72cd65cd6c2d96836d82a0b6809b08d49702929

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aE0AE.bat

Filesize
722B

MD5
79f25bb1b99b79bc8f8f3157552bcab0

SHA1
380aecf6ed20f90324a614b37e93c3e3c89f1cf1

SHA256
4902cb7492c6be0b6f3c475a4922990b5855de8ef9847f46fd31a6f1acad062e

SHA512
b3178ac5b3093469f066ef998f99755eb133712646010f8118ce6179d8ccf39dca9a8c3cea2cef335db883cdf61bcbe2d064cd5395d8278902f9baa04e3f4409

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aE11C.bat

Filesize
722B

MD5
edecb81b8c2f6b3ed0ee2432b13fc8f2

SHA1
7d7a74d48c30b420de5880f5c9d317112351f71b

SHA256
82936b341b8d96b245178d8530fa6741a5ffd7b7aa46c457ed59cd839f2c2a76

SHA512
b74de705336128cf3ef317f4b0e19e6975165a28420a9e031df5f61787831d8622daaf25b8c7ee68ec5f003e4776bd3a4f343c80cb3e0f90c2297efac9b638d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aE1C7.bat

Filesize
722B

MD5
b0cd461bd02c5f5f05acbc98f9e5bf80

SHA1
434a0df1fdbf68f52f06ec63cc2e00d6e16cbc4f

SHA256
d3aadde1d561b8f94353031d8f2453212284d95835c088e999e61efae5021058

SHA512
6d7e76de8cb0a936c694f8c10d68f26924ff358bc72fdc89fb8622beaf0e3b72d618e8399b3c7da6c8a0cbd545f89c9c1f8c1193177ee84ddd23b6f1a05413d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aE2A2.bat

Filesize
722B

MD5
a82314509e2f2e946af0c14de885d532

SHA1
f592290c5fb66bed2d89b5cc47e06f38fed81519

SHA256
5337d2a9b6c1ef85771efe74eb70f205c8a6ab0734ced5bcfab9e8226bceacea

SHA512
b421382050c4ff927b3a4d3d5bd4ee41f515fc67a41fdd7f727c893e266047ef871531fe48bcb4e3d6756a27d064962de89c8bf11d2c7403caf68bdbde5ece3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aE35D.bat

Filesize
722B

MD5
5e8c8580b794d4d5a7cc9a5243069900

SHA1
10489ed3b5a375310612bdf2b95b49c9d7b27096

SHA256
9727443a930350bd831d9b5abad4d13c55cf76467c27fc46aadc7a3c67acb564

SHA512
dfcb553374112b1319a51d1c19ed9c85acf583ad6df59c97237851de68cf4207b5007161682e8a29f0966605528d67371e5d2338c67e52ecaad5261070e00023

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aE3CA.bat

Filesize
722B

MD5
d6e80c87c4d84b2759891f172f357115

SHA1
cb9a6893cbc7c4e96d60aec979c171c04b9589f5

SHA256
baa4671d5a73366f8c69d5c69b6b88a0af078b33a1435921755400d23cca8fb8

SHA512
47e0939894bc8c7d1a36e3b06921db1b09a4997fa89011fde3f64b291d7276e850a57bfebae592f22dc522ddb88a9fd7635b4143cbf7e74a2f8fb87d411d40c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aE428.bat

Filesize
722B

MD5
f9d78f7708b02eb9a0f4b477ab418210

SHA1
98b165c17344849700dd45c8372c74dba59620fe

SHA256
7e0d62fc754b4b08a6b5680629495dae40dd8888e50ce75f3cae10f3d2918253

SHA512
ab6fb1906a7a81a06da3dceb67377df184997013f5bc96dc0e1f385cc3a840eed842e50f84f96fa42623568fec8e900cf20bf68931ac0b59924045efcf42c817

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aE476.bat

Filesize
722B

MD5
705a66f71b20d039db24d2965a7a8c6f

SHA1
83e552b87cc58adf7e0df1c19ade0253ee765984

SHA256
7a140309ad847125951dc7eb08e8528ec205adf7e2967f45488903adb14459ef

SHA512
a96ba3bc0cac01ddc6d513fcb6c96f5deee3334a4d968b49e4308499add3416d8cdb5a4b2c74b915e130b058dcd779f2bd88ffd7dc129e00ebff80e38868ef76

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aE4F2.bat

Filesize
722B

MD5
b123a10f36b11a95a5b4553874766920

SHA1
bf4c6e8119da630c07614584e0765322e31d6c34

SHA256
071b4718351745ee489b6a2b829fd5729424eae19d07aacc9b55efb9d748223c

SHA512
fd23bf8c9c5b3cd0fb18861f06dd591db2000dedaf2b5d4d5b9e5213b2ba8e5a182d71ecb9a3f4f13221d3e3843bc377d98396c7455501f4d8c660ee0060bea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aE540.bat

Filesize
722B

MD5
44dac95d2960c789763274dce30e456a

SHA1
99b02108c14950b2553c9bd35330633905b2cad3

SHA256
acfad31ba26a9e3d17175f72d042dcb7dafd0308c38d806d0aef0c6e5ac52dea

SHA512
aac7b26b115167006cf382f5bd7e1b7f6b56bd9f355ad83524aca438b379d918ca6cca0ae0a6bc4ac334737d07168f5224642367df5dea22c1782d1ff128ff47

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aE57F.bat

Filesize
722B

MD5
a405a3f36be38a18679639fc52f05df1

SHA1
78e407fa5d79738c1d168383995332e415998ac3

SHA256
e8e8e148ba7993d681ae3b7f8ab887bfee4f2517354776692ed2669c561cab0d

SHA512
b8cc3079de66025d1dcfbe38cac63db0104cc9cc79cd9e9db390ad6a33fbe0c81d9d8b5cc9a9c07a828784581e1799364280402a1c25f12a2ce04097a73044da

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aE5CD.bat

Filesize
722B

MD5
3ccab7972c549e5ab2e4cc64b9e21dce

SHA1
3e27bf16e8bd47a2988e33336688c6c8eadf4760

SHA256
490ed173ead09ff9379877b804f3189f862bd17e1869024fe753f3b8f666aa5e

SHA512
5314e58b8125fb9e569b48589f34ac971e9dac225ebb2b4f77df0e3f066b17688eb88ae6a304e3ad41603ba4dd7b38dbbb2a57d10dcec31573b101fa562e1d80

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aE61B.bat

Filesize
722B

MD5
1f2c4947f159b0a5c4dc19c9d03d0a03

SHA1
5cd94ceadaf4e7fc15cbb0e6af21d16dac015cf9

SHA256
3321c039e648fb4cbe506620352d76f078b4460d1fa8323365c1ea3b6d533c85

SHA512
e5fd2f12ea167f2892bce15d5645550d0b6d353d6fc5fe34976b2c6c4c1d1f843912fa2926b261b91d79b1ee6eb649daa5980df9cb825ce46be0b3a454c3c1d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aE659.bat

Filesize
722B

MD5
346bdc24efb10ec50461d85667f1de64

SHA1
fe25f4191004001a3ff938c7df042f18ca9bd85e

SHA256
32d4bf6061792a591921d8b4f51cd0e31619045ecc10f9d5a7262f63095d15d4

SHA512
4a2abe88628d4cda152d23d47c41016d919f57effe89a607723376fa8afc67834543acaf7f84f18e51907d633e566c6d14e20a1b90b9c1b026b82664b305c617

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aE6A7.bat

Filesize
722B

MD5
2ed2d6cda29f292e2f58faccfdef8167

SHA1
afc52ad2280775cb69f45a2b5a10b6e5d8a3e01b

SHA256
895e5da95ce511548ccf9df2f39425783b959bcbb994056d7e14d2552fb34c60

SHA512
0a4b443c513fdf9fc448390e6fed29ff157d81908b1b7cdeaa0da3147d0a860102ee7a53c482a70d38172a5554a5424f6f1ba2edbc69da121e7e2e03cbbd29ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aE6F5.bat

Filesize
722B

MD5
11e6f589979f104fe06a0efdc53aa621

SHA1
5a251ad579eb0dc18f8c6f00f4054ce91268ddcd

SHA256
aa795b4544b8d61b2f9dfbf018bad815f01f70122777a136c8f1132080214935

SHA512
f3e89a93d40c5f57a79b1ad36a956a6121928390f6be083ade520094fe1612843e46995346a71943a183d519a7b99cd7e2fea931dd792adb81510455812d6ce0

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aE743.bat

Filesize
722B

MD5
8de1392e7702d82fa822f49230bed4de

SHA1
d0af712dd158b5944e272e38cf88a59f518c08d1

SHA256
cdec7f7ea8d308ac4b76362c800ea7f7aab1f03131c45b6c4a2781d1228502dd

SHA512
7971b7430d0e0d930cad8a569b813d69327cb519cb3b34266be8278a9fe2d45dc51a5460b0df9d78bd9e92169f5fbc5ada2ecb17465b61f2c726245033b8313c

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aE791.bat

Filesize
722B

MD5
26269e91d5c162431571982fd142de65

SHA1
44aaadbd1797fa110d8dbb4e9298a7434064bd70

SHA256
aa34f88f927584652d48286a004026829cd1f01b3378575af650e7455921e640

SHA512
9e992301a9030f036784a0d0c9f157299646cd18962e179568a88a79deebe4b86073e4fd3dd6974069bbf2e24d1065848557cc2ebab4cf2ae40a822b8e2a533f

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aE7DF.bat

Filesize
722B

MD5
cb38a8887ba481fd6f408c4262ac2ca7

SHA1
66152e2947ac303baa225e898e9e7f26efc5754b

SHA256
b49c6e128e543355686bd2ddd2e6dc74a80e86896bf214c30b5a3adea0e668b8

SHA512
f72c8b1ceadb067a0b0033cf1e82175c944fd2497216b66d2b37eb5dfe94c664ccdeaaa3167943aa7467f77d46097e2af73cb1f5e998d46e0f85ae2d90cf1338

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aE87B.bat

Filesize
722B

MD5
349717dc9141b9c680db3c1d5b02ba29

SHA1
3086dd3e34210666b26c71f6d8e98a9ca1274cec

SHA256
7db2118a56cda566e23517888323f99274cbd751f1eeaa1870e1542b174d0da1

SHA512
156feba456ce4bb771b528cd7a950972f7bbb72792141f5ad1de3d179d466b92edd1d3b36a3cab9e2d2e0e5c995cbe7d6cdb87d78d362bbee3bc3569592b1985

Download Submit
C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe.exe

Filesize
2.4MB

MD5
ac788323972e7ee7243e740ff2f8daae

SHA1
6acd6d700849ca9ad064481461f4b7988dab1945

SHA256
5e7a0c5ef3211fc58e0eca20df194b478942534d5968441fc354686ba7222ebe

SHA512
ba1e52d4d8ea9400b359ef4982504010bd12a007d174ac86187050368c03b78e89b51324429d909741e4f1598be2eab28d0b400f0698b8e085f12beeb6921778

Download Submit
C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe.exe

Filesize
2.5MB

MD5
2d8020710bd51a9280bb8c23c28bff6a

SHA1
3b6ad35921dd59358b04ec304b922a7aaa2149e0

SHA256
c58bcec14503c2167a549ddec40418a4151c1624287f76961539d66e52bc7146

SHA512
d7e146017539111d7f45efa9260d3ac12840ec34574ed6512a3c498ff368eabfe68ae5117c34207170057e81361daceda7ece2c48b25642dc2ee33b82b0b8b6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe.exe

Filesize
2.3MB

MD5
ead3d576cab6bb3e77414935b36ace66

SHA1
e347ab64ced05a4e50b4905cb800147620a18e6a

SHA256
5600effef951ba7fa3bed54b59a857bc26814b45e68c7462f67b1714258b73f5

SHA512
38fd77828d2d8796a33b52e0b57cefb792064a9cef691c8dab97331321a3b3eae6a7c0918c3617a00bab16a686f52c9296ffb022d2b78bcaaa51e9cd1146112d

Download Submit
C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe.exe

Filesize
2.7MB

MD5
e80b5d6fb28284211542354b55af2e98

SHA1
3f3c0531c1dd664951bcc610f391c6ed85d47e31

SHA256
691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3

SHA512
a0ef807133f9b2f9dbc4e239588cacd0674cb9d87613fd9af62eebf98703ac9761115a1be64ba0a72bf3f6539e41732117e4938d77b1db36e86c6f30d618721d

Download Submit
C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe.exe

Filesize
2.4MB

MD5
58231e8a54a4d5ad10981a9261d6df2f

SHA1
79fd962af3dede9832de8856fb96b7723cc2ef09

SHA256
1a2fd6986c0d5d25002b7ef2ffdeab383f7cb19ead19248c7207e5d26bd67f99

SHA512
7e53168e58d3c2d8472a589a711366d932f5295e330544b6ded5a32e44d857f823465ef572ff5d2145ebb5e9d597913c91b6e798177c8d81876bd63eaadb94e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe.exe

Filesize
2.6MB

MD5
c1fe2f5aa024333c9e16b50f567e7edd

SHA1
f0e1e898af04b82b45c24d5350c2afe7f9d2e2d3

SHA256
a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf

SHA512
554b72d82a6a329957070dadfc38253899044de67c9d6bd4f27cb9531b097fe1897b6345be2360a76c8a76a6edd780b71c3e0deccffcdec2e76f8cb6880b6f46

Download Submit
C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe.exe

Filesize
2.7MB

MD5
a0d5d1a7e51ddf3a16cabfebdca1abd2

SHA1
634b3231de7fb93cca784a292235f54faf0f5d81

SHA256
f0fc47be8d77e7d6fb3cc7e2e2101483893e30928fb7c1de6a01fb59d9415877

SHA512
b81fdcbcebc7a614163807aade53f1c6209f9c3b5b86af19268e0e43c4854f74e950948abac1e2f6eb01a4d5e3b47213246b81a88c1c6f7412aa8e2c3b925ca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe.exe

Filesize
2.7MB

MD5
ae8196496642782572876d6f41d52ea2

SHA1
f94015c1f463180f51e51c0fb3f34333cb42be11

SHA256
68dc1f70be2631441db836e63a0ad0dabf20ce849afe2ce3ce4e06ea364d052a

SHA512
6e0de64ae6a06825bb841c9c3889a63704627869c53045e2043847c20b26095ce159275d83fe50a3ea00b125f5873a34fe549dc2be3947be8029dc91ed3aa492

Download Submit
C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe.exe

Filesize
2.5MB

MD5
082e82ae38f578da89a8fb10407dd43d

SHA1
efa9c8f351a27e0534213096b10e43468e69f4fe

SHA256
7a0e4349ed98deafa6f26ddd1289a9c671fbbcf2f8d3fdfb45acfe809e89f0a7

SHA512
be73b48aed9fbedf424c65cd5c6d83442f628205856364ed57d5eaceda20ed852d613456e376e7fd85c17bb9be533e6695894af0578a6625788b80069ac6a23d

Download Submit
C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe.exe

Filesize
2.3MB

MD5
ee5224c7af0ca448809311f5d5d0ac92

SHA1
6e9d7c7b30a008db94a17f40bd0df234b34b035e

SHA256
1e631817553d5d6546691864c336086c6e6158b7031d93abd85b7be28f952e95

SHA512
46dd8f473c8b28d152d9d176b2f7c3e670c61f58eda2ab21a6e5fcfd328fbb57ca57d38419e5228a2db8057bd9c53048650985bde5d2f0106d53c1ce0dd4ff19

Download Submit
C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe.exe

Filesize
2.6MB

MD5
318d2c741656f06f7d7aa2da999a32f9

SHA1
0522ded7028b5cabcacf251fa66bbaa97658eb14

SHA256
c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b

SHA512
5f4ef057b74e27fde7970f714db3fbc9585ffe4ef3096c89297b4a892446c4790373dfe2c6b0c784c25869c0a85ba22d71627c2012b4b9011e46ac3f840c9fe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe.exe

Filesize
2.4MB

MD5
3baae1aacb86eefd1732edd07f95936f

SHA1
e8e6b0b06ebae55a45c6405e27d131076b280208

SHA256
055e7eb2f930f945226daf682591695c6895cfc321c30a1ed1c580d3addcec25

SHA512
3a8d665f83c8ce15e4f093bdc10ed4388d8ce603c8f6ea41741f56909659afd46ef8a1bd9d49e065e9a7abe5f400f0660aaaff1956b26f6b1abb7ca213f6d752

Download Submit
C:\Windows\Logo1_.exe

Filesize
44KB

MD5
6d85a04f5bb329cbba3880c43337ec52

SHA1
8c2e62f730619b2e06a5fb802e115606b664525a

SHA256
ff95e5e3fea6e5f9692d24c81ab36bae1013658a34bc60cdcd9b4c591e7feec1

SHA512
31919b83c1b66e4eb99612c6b23a7dfc1cd107e51e3178bc8fb695c8243d7493f43b05a4ab8d0880763aa584ccbecdb1b61b31f0a66d8a92938884b9ef04daf8

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1506706701-1246725540-2219210854-1000\_desktop.ini

Filesize
9B

MD5
e2a14c19421b289cbd51a76363b166bd

SHA1
5d0621d68da5a444f49c090b0725c7044d47fdb7

SHA256
844af243be560dc4e478aa7ea28f4959f9df45f204006bade7ae52398d651835

SHA512
8c49bec05605c4d2b8f07f00a7a39e70f5bd4f7c84ba221c615447f947053bf3bb0496c38e2bf8b15235c493cc5a0b41f34285fed1adb4c13572f25b67e178e5

Download Submit
memory/276-2294-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/348-409-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/552-94-0x0000000000340000-0x000000000038D000-memory.dmp

Filesize
308KB

Download
memory/560-2325-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/664-1934-0x0000000000490000-0x00000000004DD000-memory.dmp

Filesize
308KB

Download
memory/764-524-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/840-536-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/840-526-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/888-2347-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/888-2357-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/956-420-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/956-421-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1080-340-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1112-419-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1148-176-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1180-89-0x00000000025A0000-0x00000000025A1000-memory.dmp

Filesize
4KB

Download
memory/1232-631-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1248-104-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1268-2304-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1348-2081-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1388-127-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1388-117-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1388-358-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1400-4170-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1400-2386-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1412-2346-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1424-1269-0x00000000001F0000-0x000000000023D000-memory.dmp

Filesize
308KB

Download
memory/1608-1026-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1608-376-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1776-2358-0x00000000003B0000-0x00000000003FD000-memory.dmp

Filesize
308KB

Download
memory/1844-2228-0x0000000000570000-0x00000000005BD000-memory.dmp

Filesize
308KB

Download
memory/1864-551-0x00000000002B0000-0x00000000002FD000-memory.dmp

Filesize
308KB

Download
memory/1876-331-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1932-191-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1968-349-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1988-322-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2000-2316-0x0000000000430000-0x000000000047D000-memory.dmp

Filesize
308KB

Download
memory/2020-410-0x0000000000460000-0x00000000004AD000-memory.dmp

Filesize
308KB

Download
memory/2040-442-0x0000000000460000-0x00000000004AD000-memory.dmp

Filesize
308KB

Download
memory/2068-2367-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2084-367-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2100-474-0x0000000000170000-0x00000000001BD000-memory.dmp

Filesize
308KB

Download
memory/2100-28-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2100-26-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2116-76-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2116-19-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2116-4164-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2168-2336-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2188-718-0x0000000000270000-0x00000000002BD000-memory.dmp

Filesize
308KB

Download
memory/2188-395-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2188-717-0x0000000000270000-0x00000000002BD000-memory.dmp

Filesize
308KB

Download
memory/2192-441-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2228-3059-0x0000000000170000-0x000000000018C000-memory.dmp

Filesize
112KB

Download
memory/2228-3058-0x0000000000170000-0x000000000018C000-memory.dmp

Filesize
112KB

Download
memory/2332-463-0x0000000000200000-0x000000000024D000-memory.dmp

Filesize
308KB

Download
memory/2340-262-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2340-462-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2360-2377-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2376-116-0x00000000001B0000-0x00000000001FD000-memory.dmp

Filesize
308KB

Download
memory/2404-473-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2404-272-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2404-464-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2408-453-0x00000000001D0000-0x000000000021D000-memory.dmp

Filesize
308KB

Download
memory/2420-2387-0x0000000000370000-0x00000000003BD000-memory.dmp

Filesize
308KB

Download
memory/2448-197-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2448-207-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2468-2326-0x00000000002F0000-0x000000000033D000-memory.dmp

Filesize
308KB

Download
memory/2500-85-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2504-515-0x0000000000130000-0x000000000017D000-memory.dmp

Filesize
308KB

Download
memory/2512-525-0x0000000000510000-0x000000000055D000-memory.dmp

Filesize
308KB

Download
memory/2528-17-0x0000000000450000-0x000000000049D000-memory.dmp

Filesize
308KB

Download
memory/2528-0-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2528-16-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2568-2315-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2572-2305-0x0000000000350000-0x000000000039D000-memory.dmp

Filesize
308KB

Download
memory/2648-2406-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2668-70-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2700-2866-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2700-2812-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2716-281-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2720-484-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2720-494-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2720-935-0x00000000005C0000-0x000000000060D000-memory.dmp

Filesize
308KB

Download
memory/2724-495-0x0000000000170000-0x00000000001BD000-memory.dmp

Filesize
308KB

Download
memory/2744-302-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2744-44-0x0000000000350000-0x000000000039D000-memory.dmp

Filesize
308KB

Download
memory/2768-282-0x0000000000310000-0x000000000035D000-memory.dmp

Filesize
308KB

Download
memory/2780-303-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2780-313-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2792-2548-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2828-2397-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2828-2388-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2828-38-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2836-142-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2840-504-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2844-2810-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2844-2811-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2864-483-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2872-292-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2872-283-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2880-1741-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2884-54-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2896-514-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2916-443-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2916-452-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2940-422-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2940-432-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2944-131-0x00000000001B0000-0x00000000001FD000-memory.dmp

Filesize
308KB

Download
memory/2984-166-0x00000000001F0000-0x000000000023D000-memory.dmp

Filesize
308KB

Download
memory/2996-386-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3004-2416-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3004-2407-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3008-814-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3044-505-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3052-2337-0x00000000001B0000-0x00000000001FD000-memory.dmp

Filesize
308KB

Download
memory/3060-157-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3064-2295-0x0000000000290000-0x00000000002DD000-memory.dmp

Filesize
308KB

Download