96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-09-2024 15:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
Size

2.8MB
MD5

e6c2e04d19d1e3bb6c9328c4818166dd
SHA1

fe820813cf5ffc8b32f727fbd026856e2af665c9
SHA256

96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872
SHA512

c0f594ff2a1120f87518802b39e482e8611dfe371ba0be7fbcd41c5423ec73117e527c6920744f9ce0c673a4f0a44c7324fc8054774613917595557ee9582a04
SSDEEP

12288:vj7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7:/cX

Score

10^/10

discovery evasion persistence spyware stealer

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 60 IoCs

pid	Process
3984	Logo1_.exe
1252	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
2640	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
1940	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
5092	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
1188	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
4560	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
4920	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
2148	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
836	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
3528	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
2292	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
4344	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
1436	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
5084	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
5092	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
3232	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
4888	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
3916	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
3676	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
2336	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
2892	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
4148	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
3212	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
4344	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
1788	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
3268	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
3720	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
3736	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
4244	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
4824	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
4768	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
3588	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
760	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
1136	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
1692	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
2108	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
4912	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
876	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
4532	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
2920	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
4652	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
628	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
3744	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
3004	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
1596	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
4116	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
4108	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
4452	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
4848	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
1260	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
4888	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
3452	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
2504	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
1344	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
3464	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
2444	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
4060	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
536	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
1472	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TempCom = "C:\\WINDOWS\\FONTS\\0C528.com"	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ca-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\eu-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\uk-ua\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\misc\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nb-no\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sv-se\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\cgg\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sv-se\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Resources\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-cn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\de-de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\de-de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\d3d11\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\logger\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\root\_desktop.ini	Logo1_.exe
File created	C:\Program Files\7-Zip\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\sl-si\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\root\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hu-hu\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\dark\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files-select\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Media Player\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\pt-br\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\sv-se\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\root\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\_desktop.ini	Logo1_.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\rundl132.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Dll.dll	Logo1_.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File opened for modification	C:\WINDOWS\FONTS\0C528.com	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\WINDOWS\FONTS\0C528.com	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
File created	C:\Windows\Logo1_.exe	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
760	1472	WerFault.exe	277

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
4752	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
4752	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
4752	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
4752	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
4752	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
4752	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
4752	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
4752	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
4752	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
4752	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
4752	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
4752	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
4752	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
4752	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
4752	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
4752	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
4752	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
4752	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
3984	Logo1_.exe
3984	Logo1_.exe
3984	Logo1_.exe
3984	Logo1_.exe
3984	Logo1_.exe
3984	Logo1_.exe
3984	Logo1_.exe
3984	Logo1_.exe
3984	Logo1_.exe
3984	Logo1_.exe
3984	Logo1_.exe
3984	Logo1_.exe
3984	Logo1_.exe
3984	Logo1_.exe
3984	Logo1_.exe
3984	Logo1_.exe
3984	Logo1_.exe
3984	Logo1_.exe
3984	Logo1_.exe
3984	Logo1_.exe
3984	Logo1_.exe
3984	Logo1_.exe
3984	Logo1_.exe
3984	Logo1_.exe
3984	Logo1_.exe
3984	Logo1_.exe
3984	Logo1_.exe
3984	Logo1_.exe
3984	Logo1_.exe
3984	Logo1_.exe
3984	Logo1_.exe
3984	Logo1_.exe
3984	Logo1_.exe
3984	Logo1_.exe
3984	Logo1_.exe
3984	Logo1_.exe
3984	Logo1_.exe
3984	Logo1_.exe
3984	Logo1_.exe
3984	Logo1_.exe
3984	Logo1_.exe
3984	Logo1_.exe
3984	Logo1_.exe
3984	Logo1_.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1472	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4752 wrote to memory of 4304	4752	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe	83
PID 4752 wrote to memory of 4304	4752	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe	83
PID 4752 wrote to memory of 4304	4752	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe	83
PID 4752 wrote to memory of 3984	4752	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe	85
PID 4752 wrote to memory of 3984	4752	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe	85
PID 4752 wrote to memory of 3984	4752	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe	85
PID 3984 wrote to memory of 4828	3984	Logo1_.exe	87
PID 3984 wrote to memory of 4828	3984	Logo1_.exe	87
PID 3984 wrote to memory of 4828	3984	Logo1_.exe	87
PID 4828 wrote to memory of 3252	4828	net.exe	89
PID 4828 wrote to memory of 3252	4828	net.exe	89
PID 4828 wrote to memory of 3252	4828	net.exe	89
PID 4304 wrote to memory of 1252	4304	cmd.exe	90
PID 4304 wrote to memory of 1252	4304	cmd.exe	90
PID 4304 wrote to memory of 1252	4304	cmd.exe	90
PID 1252 wrote to memory of 4768	1252	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe	91
PID 1252 wrote to memory of 4768	1252	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe	91
PID 1252 wrote to memory of 4768	1252	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe	91
PID 4768 wrote to memory of 2640	4768	cmd.exe	94
PID 4768 wrote to memory of 2640	4768	cmd.exe	94
PID 4768 wrote to memory of 2640	4768	cmd.exe	94
PID 2640 wrote to memory of 3464	2640	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe	95
PID 2640 wrote to memory of 3464	2640	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe	95
PID 2640 wrote to memory of 3464	2640	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe	95
PID 3464 wrote to memory of 1940	3464	cmd.exe	97
PID 3464 wrote to memory of 1940	3464	cmd.exe	97
PID 3464 wrote to memory of 1940	3464	cmd.exe	97
PID 1940 wrote to memory of 2408	1940	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe	98
PID 1940 wrote to memory of 2408	1940	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe	98
PID 1940 wrote to memory of 2408	1940	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe	98
PID 2408 wrote to memory of 5092	2408	cmd.exe	100
PID 2408 wrote to memory of 5092	2408	cmd.exe	100
PID 2408 wrote to memory of 5092	2408	cmd.exe	100
PID 5092 wrote to memory of 3140	5092	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe	101
PID 5092 wrote to memory of 3140	5092	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe	101
PID 5092 wrote to memory of 3140	5092	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe	101
PID 3140 wrote to memory of 1188	3140	cmd.exe	104
PID 3140 wrote to memory of 1188	3140	cmd.exe	104
PID 3140 wrote to memory of 1188	3140	cmd.exe	104
PID 1188 wrote to memory of 2356	1188	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe	105
PID 1188 wrote to memory of 2356	1188	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe	105
PID 1188 wrote to memory of 2356	1188	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe	105
PID 2356 wrote to memory of 4560	2356	cmd.exe	107
PID 2356 wrote to memory of 4560	2356	cmd.exe	107
PID 2356 wrote to memory of 4560	2356	cmd.exe	107
PID 4560 wrote to memory of 536	4560	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe	108
PID 4560 wrote to memory of 536	4560	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe	108
PID 4560 wrote to memory of 536	4560	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe	108
PID 536 wrote to memory of 4920	536	cmd.exe	110
PID 536 wrote to memory of 4920	536	cmd.exe	110
PID 536 wrote to memory of 4920	536	cmd.exe	110
PID 4920 wrote to memory of 2328	4920	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe	111
PID 4920 wrote to memory of 2328	4920	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe	111
PID 4920 wrote to memory of 2328	4920	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe	111
PID 3984 wrote to memory of 3504	3984	Logo1_.exe	56
PID 3984 wrote to memory of 3504	3984	Logo1_.exe	56
PID 2328 wrote to memory of 2148	2328	cmd.exe	115
PID 2328 wrote to memory of 2148	2328	cmd.exe	115
PID 2328 wrote to memory of 2148	2328	cmd.exe	115
PID 2148 wrote to memory of 3672	2148	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe	116
PID 2148 wrote to memory of 3672	2148	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe	116
PID 2148 wrote to memory of 3672	2148	96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe	116
PID 3672 wrote to memory of 836	3672	cmd.exe	118
PID 3672 wrote to memory of 836	3672	cmd.exe	118

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3504
- C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
  "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7A60.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4304
  - - C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
      "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:1252
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7BB8.bat
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4768
      - C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7CE1.bat
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7DDB.bat
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        10⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7E96.bat
        11⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        12⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:1188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7F32.bat
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        14⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a800D.bat
        15⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        16⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a80B9.bat
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        18⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8230.bat
        19⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        20⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a830B.bat
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        22⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a83E5.bat
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        24⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a84B1.bat
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        26⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a854D.bat
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        28⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a86C4.bat
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:3356
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        30⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a877F.bat
        31⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        32⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8906.bat
        33⤵
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        34⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a89E1.bat
        35⤵
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        36⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8A5E.bat
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        38⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8ACB.bat
        39⤵
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        40⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8B87.bat
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        42⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8C52.bat
        43⤵
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        44⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8CFE.bat
        45⤵
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        46⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8D5B.bat
        47⤵
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        48⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8DA9.bat
        49⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        50⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8E07.bat
        51⤵
        System Location Discovery: System Language Discovery
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        52⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8E46.bat
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        54⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8EA3.bat
        55⤵
        System Location Discovery: System Language Discovery
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        56⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8EF2.bat
        57⤵
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        58⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8F5F.bat
        59⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        60⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8FFB.bat
        61⤵
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9088.bat
        63⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        64⤵
        Drops file in Windows directory
        
        PID:3620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9124.bat
        65⤵
        System Location Discovery: System Language Discovery
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        66⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a91C0.bat
        67⤵
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        68⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a926C.bat
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:3804
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        70⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9357.bat
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        72⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a947F.bat
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:3152
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        74⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a952B.bat
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        76⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9589.bat
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        78⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a95F6.bat
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        80⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9635.bat
        81⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        82⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9693.bat
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        84⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a96E1.bat
        85⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        86⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a974E.bat
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:3184
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        88⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a979C.bat
        89⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        90⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a97EA.bat
        91⤵
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        92⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9848.bat
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        94⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a98B6.bat
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        96⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9913.bat
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:1192
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        98⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9971.bat
        99⤵
        
        PID:3224
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        100⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9A1D.bat
        101⤵
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        102⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9AB9.bat
        103⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        104⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9D98.bat
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:3920
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        106⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9F6C.bat
        107⤵
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        108⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA009.bat
        109⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        110⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA095.bat
        111⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        112⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA131.bat
        113⤵
        
        PID:3216
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        114⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA1CE.bat
        115⤵
        System Location Discovery: System Language Discovery
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        116⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA26A.bat
        117⤵
        System Location Discovery: System Language Discovery
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        118⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA316.bat
        119⤵
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        120⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA3C2.bat
        121⤵
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe"
        122⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1472
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 184
        123⤵
        Program crash
        
        PID:760
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3984
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4828
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:3252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1472 -ip 1472
1⤵
PID:3680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$a7A60.bat

Filesize
722B

MD5
b14bdd938296b260b0ea427169ba4387

SHA1
a43be158f1916657ce28221e889d90cb7d64202a

SHA256
2c2784fd5dd4ed4864501e1c2b91335d84645cfb9ce5aced5f2ea8dab22f07d6

SHA512
d08ca690ccdef263552309994b8b37c74d9ddf491e5220d52402c4259d991d822036488088f7a6547be047884da06ce2d6bec0d9ae0cce7e50ee3d0b016d508b

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a7BB8.bat

Filesize
722B

MD5
9574cb372baa4d6c6e20b89c9e8f270e

SHA1
e2f212503c345002b89e546333d77e1a08202390

SHA256
130a80846dd376d88f351697bcf0798b9c2ec929e97b337228b90ebcdbd39095

SHA512
ef04634b854bce4261ccceb8b4db46fc1011c3c4b38b97ab8c9e91112aae5a1cd823a5d5a30b67e2cb6dc567091f5e99700b1f6aa26d617a6477274098533b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a7CE1.bat

Filesize
722B

MD5
1aac23836712336f081dfa298bc9d4f5

SHA1
d13c6054f5f50cfb228724fca1c926239d6f98b6

SHA256
eb335a9495d1bcbad6fb00499f5ef0c303fd381944143a051e2a61ba16497f9e

SHA512
1754fe6efe60f1970a718cd4cc671643ec7e3126a5417eaa6b673a20e1e09e7b9e7eeaca52d5feb8afd175cd2e990dd0f9d6b21a0c8183dd15b9a66292553423

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a7DDB.bat

Filesize
722B

MD5
b7cec4486b19bbff2d46a11b3bb81a5d

SHA1
09836382799dd829fee3777c515d7f898a2d0efc

SHA256
fdac88dcd6d18cb5693624c56594bbd17b33397ec0e23451f9fb73142030ebe3

SHA512
1110623d1f22f4411d0208ee2fb253fa8ceee32afc9cf1f62b49b76a9725a92dd0a09fc8aa35837fd694434dc3a33ef6326534fb97f56e502931f38b87e1c0fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a7E96.bat

Filesize
722B

MD5
2be471cc3c19fae560b7438bee7e20f6

SHA1
f45c4f23f33d53ea962364357c53569ae8f58948

SHA256
4f9d45443112f9ed88d27acc8975ac0fa5caadae3c58f5807b35e9ecc3e68d89

SHA512
a0dd104f713a814b1ac98ae7022f17611a7bf89a3bc60d2c022a063d7037ab35d19ababb4355e8698ca38f74c46cdcf09883c13653dfef1dc848652c761258a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a7F32.bat

Filesize
722B

MD5
43634cff13c833eaf8b34d9378dfad5e

SHA1
912e1d82626fb3b2a064636f15f72265ca950475

SHA256
e7c62a6b42692de99ac564efaf5128ef7b9225c470efc4f4558711de07e3813f

SHA512
a1ce2df24357fa8522bb5671e4d96729dfe155408265e9564cca08b9d03409f6dad1ed84bec1d6cef0a436c03ef9153a58ef714ec8d8d54126a06adc876e437e

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a800D.bat

Filesize
722B

MD5
84c29ab3e31911c773a0ffcc3ef586b3

SHA1
5b56384aebd38d66117b1fee3f90287b6c873b71

SHA256
b5e8c3508c41feae5c58fa88ed0a96940f1f0d4c8eea18af52d29d28dfe4e40f

SHA512
8dea6f0f52828ee9a2d8b3b5fc2d912f8a7ed976a989bcf992f768d9a2564e5d6ac02c259c212e0f551c80f9685add735b660fd1c3c065eed3b20c2cf94e81a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a80B9.bat

Filesize
722B

MD5
c6ab6ea431eeac08ead164d6fa594391

SHA1
0cfb8298406c66fc8cdf944f1715350dea69b6d6

SHA256
bf7bc49d3d9d9a4718ccf23758ffed0ae4b05810256d4c02877a91213169f825

SHA512
a3b54db715f9502acf8ef10b84be3f3a7cbb6074fd5807e70d9350199b152f9df57f70e78bc80d06bde46898adff52e24c031fc1589e81d4c975d787537df704

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a8230.bat

Filesize
722B

MD5
e4dfc96d33a5554a58d7bd06f3a9771d

SHA1
be9b861fdab3c5f60227664c2986b2c87a9b7bc0

SHA256
0fdd8ce6f11cb46ff537809fd5150c81e9383bf8c4667f29b83c2ceef9aa01ed

SHA512
edc85d3c8dadd7ef40d959ae8a67ad85760714113d1a71a19f2ebbb5028a1143b504da62ff601ad1747d230d7a468602902184bdec9e83282d1d8a42e78bc114

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a830B.bat

Filesize
722B

MD5
dc0418bbf3010b2c4df1f966da1e8f5a

SHA1
8c1608026fcbf49c1d7a64cae70e584bcb710ca8

SHA256
29cf117e69ea19c48cc418ecb1fa79855aaf1a40ceae442d88b8ec9499604e61

SHA512
87684136c07014c32e50e9d06625de8c79e345038747d8661bf87cdcbedb28b5feabe7e2b4683741fe960bae8f77e385ee3fa8e0e0a58928939072110a8633d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a83E5.bat

Filesize
722B

MD5
d28dd24e949a78cf1f9ba8c7fd688bf4

SHA1
16e91ca6ba88795d93a39c28678746a3e436d4db

SHA256
f12cba03395fe63ff9eca6fc3f8a553a44137cbaa413c0259773f81168e0be37

SHA512
c981b9bee0346da6b3da98034a5c4ac84ec4ccb868d6cf925f2020e853863dcd321d90c091c16ef3a2fa53ecfc1ef7451feb6fb20cc29de1204a075084a4217a

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a84B1.bat

Filesize
722B

MD5
a1087c16a969d7680b1e03089e6c9844

SHA1
7755e3d97162aecc8da22f310fe979c13eb907eb

SHA256
c0add056d111a3cd2b78f94cf7f75045b2c3cd0bc9bbcb697b0dae9c83c5ae0d

SHA512
c6963845ab63c976a163d3b7ffc8f7b56130a0663ca4f0d0a41a6c7608bdea7a292b0d2684eedbc3282de366d13d17006c7dc416e3ee09bc17547135cf4d3905

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a854D.bat

Filesize
722B

MD5
04c4ead0080e72509f36ed5b8e74271e

SHA1
fa239c977cc0a64ba105f0e39a6d1d1d5e9b08b9

SHA256
a03757636a0046df8215b38cc6d92488a105615fe5a81e1def1978c4ba367e2b

SHA512
17fd97ba05c274b3d53b1c6b9169718a503b20a3d2c1daeea8501492bfbad226282a5391c8fc260ea4c926d0a61b97a3861d1d1419148c4e426d93b3fe3d9779

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a86C4.bat

Filesize
722B

MD5
a2637382ec4fc3b01468e39bfa597be5

SHA1
b36f085271b8fe1281363f21ec6c50e39be397f8

SHA256
541259db4859ae53a35740c0f1b80ce29991afc5d3999a9103da1c7c7bce95a8

SHA512
9a3d9af985927fe605401770f32984e742d72b0b0c95ab1c7798fe1e6d6be1967f172153fece545679614214be75808a79a8ad562ad0b07eb4b469530e378d06

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a877F.bat

Filesize
722B

MD5
6d958a4bd552a0afb70ee217afdb657b

SHA1
4e62244cf1fe88eadc47e89a463534e9313382d9

SHA256
8ab192feb99f45ae503f3d3377be8f5b896c4bd6e7258e11212505a920943a78

SHA512
b6b0bc7483f30f3655007147484721a380b511ad19f14a4185997ee0da0ba1aa1965f56f03ba66500976bdf714f75b7c4c2444ac0a221aaa08d6cfa18875d8eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a8906.bat

Filesize
722B

MD5
333738cf073600c65270b226dcbe656f

SHA1
37cd9c8a300863656e07d30dabaeb14df5e119e3

SHA256
a1fb98f05e2b35be4bc66f5f239a154161adcbff87b844b659c6eac5a5cfa0dc

SHA512
6a54fd86cc4524d4ad773b3a7c6ab95e51b6051076708076492fd3facb7a1ec341c17b8e72ece4c606570efc2dc9be3c8947f5e343d67c6fc6b81802bd8b3dfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a89E1.bat

Filesize
722B

MD5
8c770cf7b8bcbebb308bd5e793a32e64

SHA1
0f8060551c52e9d962f565021a1eee432e117787

SHA256
00ee22ca27aad1cfdb2937e1cafe3b348cbbc7c1f366303a615d6fffd4899249

SHA512
5ac774b05487b073cdb9ff9352c065d4cd1edf7fde2df125f9ee991933117e77896cf2b5a2fa90923bc4731455e2a9e54c8be2bd68bb522adaae74bc90b679b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a8A5E.bat

Filesize
722B

MD5
e3cbf85698df7c42d73d967ed47b0200

SHA1
fd90acb0c84dda79fd41a54425499daf97e5eecf

SHA256
45ecb313f2d29ba21fc59bf0bc6175ecd0f55eeb7b870a25f5f1f42f967d0996

SHA512
dcb39293a852c9113051fb08b808210b0919798933eca80311e6fc75b9378a1e73e12e5173c55bd7398e8ce6c14c8daad22cf6b42b4cb9ffaed883a64466644d

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a8ACB.bat

Filesize
722B

MD5
5b8ed0783a6eb48cd785811fe9326896

SHA1
99bb429135cb870ae3636280986ff9cb79bed469

SHA256
2ac67b62b0871a05402a41fc689c0d486e64eb76f91e41b90e68ae6ec40398c9

SHA512
7c203ec50041f8423b67e6670d217369265c78624d707e3261a0dc36cebbe3d067b63e04d88e01ed497f68bd23faa746b369200d5c96a22576144fa420b68100

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a8B87.bat

Filesize
722B

MD5
8baf678849a4d6f53635f4a9f6c02bd0

SHA1
8243806335fcaac3315004c874a001006affc466

SHA256
f641281425335c8f358eebd172f6d541fa6a6084afb5d0b1858fed953da9cd0b

SHA512
25d7958074f128b766c34837099dae30c05c732963933493a4edaa1f95b4d11bc9e2831a8114b067e6f9b1fe77fd46714bce41b2592cdbec78b850bb13245afb

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a8C52.bat

Filesize
722B

MD5
c7ea6315476102cb1247aeb7a8ed0d67

SHA1
1c31efbe9acd324591b9ef0e3ccd60a62d12267d

SHA256
bdc7c08d8aa6c20a6dfb54682c6877185662d8b8da8662accd1792c0e50f172b

SHA512
74c82646082c44f5e11c0e9e53acd8ccc35e1803909f821bc7887a4c9f3c008fb5ecd2278f1d5633142eec7aa27a3c3e26b21e9dd587f56c4766cee3b9b02c98

Download Submit
C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe.exe

Filesize
2.7MB

MD5
a0d5d1a7e51ddf3a16cabfebdca1abd2

SHA1
634b3231de7fb93cca784a292235f54faf0f5d81

SHA256
f0fc47be8d77e7d6fb3cc7e2e2101483893e30928fb7c1de6a01fb59d9415877

SHA512
b81fdcbcebc7a614163807aade53f1c6209f9c3b5b86af19268e0e43c4854f74e950948abac1e2f6eb01a4d5e3b47213246b81a88c1c6f7412aa8e2c3b925ca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe.exe

Filesize
2.4MB

MD5
ac788323972e7ee7243e740ff2f8daae

SHA1
6acd6d700849ca9ad064481461f4b7988dab1945

SHA256
5e7a0c5ef3211fc58e0eca20df194b478942534d5968441fc354686ba7222ebe

SHA512
ba1e52d4d8ea9400b359ef4982504010bd12a007d174ac86187050368c03b78e89b51324429d909741e4f1598be2eab28d0b400f0698b8e085f12beeb6921778

Download Submit
C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe.exe

Filesize
2.3MB

MD5
ead3d576cab6bb3e77414935b36ace66

SHA1
e347ab64ced05a4e50b4905cb800147620a18e6a

SHA256
5600effef951ba7fa3bed54b59a857bc26814b45e68c7462f67b1714258b73f5

SHA512
38fd77828d2d8796a33b52e0b57cefb792064a9cef691c8dab97331321a3b3eae6a7c0918c3617a00bab16a686f52c9296ffb022d2b78bcaaa51e9cd1146112d

Download Submit
C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe.exe

Filesize
2.7MB

MD5
e80b5d6fb28284211542354b55af2e98

SHA1
3f3c0531c1dd664951bcc610f391c6ed85d47e31

SHA256
691b60989839be8e276a256f15609de205d5fcec4215a3382806110348be7dc3

SHA512
a0ef807133f9b2f9dbc4e239588cacd0674cb9d87613fd9af62eebf98703ac9761115a1be64ba0a72bf3f6539e41732117e4938d77b1db36e86c6f30d618721d

Download Submit
C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe.exe

Filesize
2.6MB

MD5
c1fe2f5aa024333c9e16b50f567e7edd

SHA1
f0e1e898af04b82b45c24d5350c2afe7f9d2e2d3

SHA256
a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf

SHA512
554b72d82a6a329957070dadfc38253899044de67c9d6bd4f27cb9531b097fe1897b6345be2360a76c8a76a6edd780b71c3e0deccffcdec2e76f8cb6880b6f46

Download Submit
C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe.exe

Filesize
2.2MB

MD5
14b760d79bf066c92c043709056178ab

SHA1
153176def6ae9b5e3db4a1d70d30a65d315d3276

SHA256
b410192124d4903c587feeb9837753fac84c61209f3ae1d0b79bff93de82d2d2

SHA512
2d66ecf676de0fd9b18ad3db0ed2b4dbb3ab1a88519303155af4a396bde4ab900e0c7891de96d93037669ba16f76d6bd8cd21b0cf73737a65bb5bca422a9c355

Download Submit
C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe.exe

Filesize
2.7MB

MD5
ae8196496642782572876d6f41d52ea2

SHA1
f94015c1f463180f51e51c0fb3f34333cb42be11

SHA256
68dc1f70be2631441db836e63a0ad0dabf20ce849afe2ce3ce4e06ea364d052a

SHA512
6e0de64ae6a06825bb841c9c3889a63704627869c53045e2043847c20b26095ce159275d83fe50a3ea00b125f5873a34fe549dc2be3947be8029dc91ed3aa492

Download Submit
C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe.exe

Filesize
2.5MB

MD5
082e82ae38f578da89a8fb10407dd43d

SHA1
efa9c8f351a27e0534213096b10e43468e69f4fe

SHA256
7a0e4349ed98deafa6f26ddd1289a9c671fbbcf2f8d3fdfb45acfe809e89f0a7

SHA512
be73b48aed9fbedf424c65cd5c6d83442f628205856364ed57d5eaceda20ed852d613456e376e7fd85c17bb9be533e6695894af0578a6625788b80069ac6a23d

Download Submit
C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe.exe

Filesize
2.1MB

MD5
7b781c296c9518ce7e93f77b8fe3bda3

SHA1
124bd189e2510f852183f51faf67278c8cd1b2e6

SHA256
c50db397ecab6ee6a577d51d1f81d51cb99b2ce149797c8d8c0d59882ab2a7d6

SHA512
24be4115fa2230e35649dce2d1536f25f3df3a7192e530a87cdda00393f1de715264acbab98c745ea7f65f64ce713d01598ed031ada25a61c66a830b2e872c1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe.exe

Filesize
2.6MB

MD5
318d2c741656f06f7d7aa2da999a32f9

SHA1
0522ded7028b5cabcacf251fa66bbaa97658eb14

SHA256
c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b

SHA512
5f4ef057b74e27fde7970f714db3fbc9585ffe4ef3096c89297b4a892446c4790373dfe2c6b0c784c25869c0a85ba22d71627c2012b4b9011e46ac3f840c9fe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe.exe

Filesize
2.4MB

MD5
3baae1aacb86eefd1732edd07f95936f

SHA1
e8e6b0b06ebae55a45c6405e27d131076b280208

SHA256
055e7eb2f930f945226daf682591695c6895cfc321c30a1ed1c580d3addcec25

SHA512
3a8d665f83c8ce15e4f093bdc10ed4388d8ce603c8f6ea41741f56909659afd46ef8a1bd9d49e065e9a7abe5f400f0660aaaff1956b26f6b1abb7ca213f6d752

Download Submit
C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe.exe

Filesize
2.0MB

MD5
6f1ffe9f3e17d6f1cda7e625d1b89b9c

SHA1
6c2e76cdf67bcdd5d4a354f319ab529586130cae

SHA256
ea51d7ab1e6a2d2aed2aa02c1a1088c30ea53afd8579be36f20b79e7e4fe74e7

SHA512
edb3d591356d6d2963f61dda2678d579df61366d7502b5e4d8d54e8dc7c1bfea167a77745d9a8eb0019be5efc41032bc3369cac2070531a565d71574de0757f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe.exe

Filesize
2.5MB

MD5
2d8020710bd51a9280bb8c23c28bff6a

SHA1
3b6ad35921dd59358b04ec304b922a7aaa2149e0

SHA256
c58bcec14503c2167a549ddec40418a4151c1624287f76961539d66e52bc7146

SHA512
d7e146017539111d7f45efa9260d3ac12840ec34574ed6512a3c498ff368eabfe68ae5117c34207170057e81361daceda7ece2c48b25642dc2ee33b82b0b8b6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe.exe

Filesize
1.9MB

MD5
66c74ff5a6fd63536d9510a0ef504561

SHA1
6b34a7e9fb3e220899f77b76c2b26db3e8fa175a

SHA256
535c14bafe9e75f724fae0480e24d0be0c801dbf1d2b81d9d300abbdc7eac326

SHA512
12ce8aa2c0f55fe69d865473580953748bc479e5970b3a82ac673aa2020f89b89ded1ace166f3e5a95138fe996f3f6f804b69a81424404db706527543df865e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe.exe

Filesize
2.4MB

MD5
58231e8a54a4d5ad10981a9261d6df2f

SHA1
79fd962af3dede9832de8856fb96b7723cc2ef09

SHA256
1a2fd6986c0d5d25002b7ef2ffdeab383f7cb19ead19248c7207e5d26bd67f99

SHA512
7e53168e58d3c2d8472a589a711366d932f5295e330544b6ded5a32e44d857f823465ef572ff5d2145ebb5e9d597913c91b6e798177c8d81876bd63eaadb94e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe.exe

Filesize
2.3MB

MD5
ee5224c7af0ca448809311f5d5d0ac92

SHA1
6e9d7c7b30a008db94a17f40bd0df234b34b035e

SHA256
1e631817553d5d6546691864c336086c6e6158b7031d93abd85b7be28f952e95

SHA512
46dd8f473c8b28d152d9d176b2f7c3e670c61f58eda2ab21a6e5fcfd328fbb57ca57d38419e5228a2db8057bd9c53048650985bde5d2f0106d53c1ce0dd4ff19

Download Submit
C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe.exe

Filesize
2.2MB

MD5
0655f93740d40e73a63659f993376388

SHA1
84e3cc33c3c25c26392128ea0dc5062cbc89c8ed

SHA256
e5301178fee0cf24e3a15b43642c7d1da8ebe5e945cdeee6e4688d9e72f82b15

SHA512
91e7b34f63c9b4a3a9077462254238d4024553fe189d598f8ee913ef2f45293472e3244870659e88e33beddc184ecc48e1812ac9a912d9bc9fcf4fd5b9c12ed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe.exe

Filesize
2.1MB

MD5
286dfd9e19e5bb83a98ac2b2e20a7403

SHA1
f4ca430d2669af6a56f89a1c3adfb6cca459cc60

SHA256
060afb27e8d052abd7965c922e4b826e3325db24646037b3dd6b92aad77f1858

SHA512
45742bbb0017f2a25b4ee773504a7369b5d0d454bb570192fb05e4747d80ab0240f99bbf2c8484ccfa44978db1b3c815c378d0efad66bf6161b67639c81f716f

Download Submit
C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe.exe

Filesize
2.1MB

MD5
9b6b7050405a5f58449bc2939acf98ef

SHA1
4e5d761679c6b602cb1082f9264a4a332d524efb

SHA256
5d5d2ef460f6be067a1cb5a15f116ddd5bc66e6c687d3c65b8777fce2fa5dd41

SHA512
1b3624b711aa854d28f0d3e37e0e83fb5e74c7a57e13c52823b33ce254a7003516e46b4383201ee397c1fbfb472c5ca183fd9b994b0929e746cb6caf317cc55b

Download Submit
C:\Users\Admin\AppData\Local\Temp\96c1eccc30764a57301b3577ca8befda333174cd14eda6562344987585983872.exe.exe

Filesize
2.0MB

MD5
760a878c0062e76cd1c4685ff30ecfca

SHA1
1c6c49bea462a0a5eff52c635f606f5e73bcfb7b

SHA256
d5c8b63e8e9b41355232bca7a5858058b489bd439c8d3d446c9de098dde7e4a1

SHA512
ae861a14a1302a63e28dd94014b2ddd4a2335e0656d31fda3ef30bb6c435a6a6c2138bbbc616aeb7fd0fad5d5d63a504ac34ff193f0ce54b0e539490c53ab0ee

Download Submit
C:\Windows\Logo1_.exe

Filesize
44KB

MD5
6d85a04f5bb329cbba3880c43337ec52

SHA1
8c2e62f730619b2e06a5fb802e115606b664525a

SHA256
ff95e5e3fea6e5f9692d24c81ab36bae1013658a34bc60cdcd9b4c591e7feec1

SHA512
31919b83c1b66e4eb99612c6b23a7dfc1cd107e51e3178bc8fb695c8243d7493f43b05a4ab8d0880763aa584ccbecdb1b61b31f0a66d8a92938884b9ef04daf8

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-656926755-4116854191-210765258-1000\_desktop.ini

Filesize
9B

MD5
e2a14c19421b289cbd51a76363b166bd

SHA1
5d0621d68da5a444f49c090b0725c7044d47fdb7

SHA256
844af243be560dc4e478aa7ea28f4959f9df45f204006bade7ae52398d651835

SHA512
8c49bec05605c4d2b8f07f00a7a39e70f5bd4f7c84ba221c615447f947053bf3bb0496c38e2bf8b15235c493cc5a0b41f34285fed1adb4c13572f25b67e178e5

Download Submit
memory/536-4886-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/536-4962-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/628-1992-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/760-1370-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/836-85-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/876-1976-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1136-1730-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1188-50-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1252-20-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1260-2766-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1344-4116-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1436-114-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1472-5997-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1472-5146-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1596-2004-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1692-1936-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1788-190-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1940-34-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2108-1968-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2148-72-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2292-100-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2336-169-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2444-4536-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2504-3944-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2640-27-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2892-174-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2920-1984-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3004-2000-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3212-182-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3232-139-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3268-194-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3452-3816-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3464-4351-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3528-93-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3588-1100-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3620-652-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3676-162-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3720-199-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3736-235-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3744-1996-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3916-153-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3984-89-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3984-4237-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3984-9211-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3984-9-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4060-4740-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4108-2054-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4116-2008-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4148-178-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4244-350-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4344-186-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4344-107-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4452-2242-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4532-1980-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4560-57-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4652-1988-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4752-0-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4752-10-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4768-822-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4824-473-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4848-2422-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4888-3708-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4888-146-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4912-1972-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4920-64-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/5084-125-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/5092-132-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/5092-41-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download