c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b

Analysis

max time kernel
150s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2024 16:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
Size

2.6MB
MD5

318d2c741656f06f7d7aa2da999a32f9
SHA1

0522ded7028b5cabcacf251fa66bbaa97658eb14
SHA256

c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b
SHA512

5f4ef057b74e27fde7970f714db3fbc9585ffe4ef3096c89297b4a892446c4790373dfe2c6b0c784c25869c0a85ba22d71627c2012b4b9011e46ac3f840c9fe0
SSDEEP

12288:vj7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7Y:3cX

Score

10^/10

discovery evasion persistence spyware stealer

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 56 IoCs

pid	Process
4608	Logo1_.exe
1748	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
2372	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
4752	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
2948	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
5060	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
3784	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
2324	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
2488	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
3604	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
4368	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
4416	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
4268	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
468	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
1336	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
1972	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
2196	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
1260	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
4600	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
3104	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
1172	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
5016	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
1440	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
1296	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
4508	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
3496	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
3504	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
3336	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
3164	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
2916	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
2948	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
4112	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
4300	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
2256	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
2988	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
3008	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
4588	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
912	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
928	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
4856	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
1908	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
2704	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
232	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
2584	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
864	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
1688	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
4472	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
4044	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
3496	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
4676	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
4928	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
3436	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
2304	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
4672	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
5084	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
1720	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TempCom = "C:\\WINDOWS\\FONTS\\95BF1.com"	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\eu-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\he-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\es-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sv-se\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\it-it\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\es_MX\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\es-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sl-si\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\Office16\XLSTART\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\en\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Extensions\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\Diagnostics\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gd\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ca-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\root\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Acrobat\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Internet Explorer\uk-UA\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Media Player\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-cn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\nb-no\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lo\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nb-no\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\root\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\_desktop.ini	Logo1_.exe

Drops file in Windows directory 60 IoCs

description	ioc	Process
File created	C:\Windows\Dll.dll	Logo1_.exe
File created	C:\Windows\Logo1_.exe	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
File created	C:\Windows\Logo1_.exe	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Logo1_.exe	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
File created	C:\Windows\Logo1_.exe	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
File created	C:\Windows\Logo1_.exe	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
File created	C:\Windows\Logo1_.exe	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
File created	C:\Windows\Logo1_.exe	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
File created	C:\Windows\Logo1_.exe	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
File created	C:\Windows\Logo1_.exe	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
File created	C:\Windows\Logo1_.exe	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
File created	C:\Windows\Logo1_.exe	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
File created	C:\Windows\Logo1_.exe	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
File created	C:\Windows\Logo1_.exe	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
File created	C:\Windows\Logo1_.exe	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
File created	C:\Windows\Logo1_.exe	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
File created	C:\Windows\Logo1_.exe	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
File created	C:\Windows\Logo1_.exe	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
File created	C:\Windows\Logo1_.exe	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
File created	C:\Windows\Logo1_.exe	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
File created	C:\Windows\Logo1_.exe	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
File created	C:\Windows\Logo1_.exe	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
File created	C:\Windows\rundl132.exe	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
File created	C:\Windows\Logo1_.exe	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
File created	C:\Windows\Logo1_.exe	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
File created	C:\Windows\Logo1_.exe	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
File created	C:\Windows\Logo1_.exe	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
File created	C:\Windows\Logo1_.exe	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
File created	C:\Windows\Logo1_.exe	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
File created	C:\Windows\Logo1_.exe	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
File created	C:\Windows\Logo1_.exe	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
File created	C:\Windows\Logo1_.exe	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
File created	C:\Windows\Logo1_.exe	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
File created	C:\Windows\Logo1_.exe	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
File created	C:\Windows\Logo1_.exe	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
File created	C:\Windows\Logo1_.exe	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
File created	C:\Windows\Logo1_.exe	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
File created	C:\Windows\Logo1_.exe	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
File created	C:\Windows\Logo1_.exe	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
File created	C:\Windows\Logo1_.exe	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
File created	C:\Windows\Logo1_.exe	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
File created	C:\Windows\Logo1_.exe	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
File created	C:\Windows\Logo1_.exe	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
File created	C:\WINDOWS\FONTS\95BF1.com	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
File created	C:\Windows\Logo1_.exe	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
File created	C:\Windows\Logo1_.exe	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
File created	C:\Windows\Logo1_.exe	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
File created	C:\Windows\Logo1_.exe	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
File created	C:\Windows\Logo1_.exe	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
File created	C:\Windows\Logo1_.exe	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
File opened for modification	C:\WINDOWS\FONTS\95BF1.com	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
File created	C:\Windows\Logo1_.exe	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
File created	C:\Windows\Logo1_.exe	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
File created	C:\Windows\Logo1_.exe	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
File created	C:\Windows\Logo1_.exe	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
File created	C:\Windows\Logo1_.exe	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
File created	C:\Windows\Logo1_.exe	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
File created	C:\Windows\Logo1_.exe	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
File created	C:\Windows\Logo1_.exe	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2940	1720	WerFault.exe	257

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
2196	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
2196	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
2196	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
2196	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
2196	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
2196	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
2196	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
2196	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
2196	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
2196	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
2196	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
2196	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
2196	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
2196	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
2196	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
2196	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
2196	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
2196	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
4608	Logo1_.exe
4608	Logo1_.exe
4608	Logo1_.exe
4608	Logo1_.exe
4608	Logo1_.exe
4608	Logo1_.exe
4608	Logo1_.exe
4608	Logo1_.exe
4608	Logo1_.exe
4608	Logo1_.exe
4608	Logo1_.exe
4608	Logo1_.exe
4608	Logo1_.exe
4608	Logo1_.exe
4608	Logo1_.exe
4608	Logo1_.exe
4608	Logo1_.exe
4608	Logo1_.exe
4608	Logo1_.exe
4608	Logo1_.exe
4608	Logo1_.exe
4608	Logo1_.exe
4608	Logo1_.exe
4608	Logo1_.exe
4608	Logo1_.exe
4608	Logo1_.exe
4608	Logo1_.exe
4608	Logo1_.exe
4608	Logo1_.exe
4608	Logo1_.exe
4608	Logo1_.exe
4608	Logo1_.exe
4608	Logo1_.exe
4608	Logo1_.exe
4608	Logo1_.exe
4608	Logo1_.exe
4608	Logo1_.exe
4608	Logo1_.exe
4608	Logo1_.exe
4608	Logo1_.exe
4608	Logo1_.exe
4608	Logo1_.exe
4608	Logo1_.exe
4608	Logo1_.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1720	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2416	2196	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe	82
PID 2196 wrote to memory of 2416	2196	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe	82
PID 2196 wrote to memory of 2416	2196	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe	82
PID 2196 wrote to memory of 4608	2196	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe	83
PID 2196 wrote to memory of 4608	2196	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe	83
PID 2196 wrote to memory of 4608	2196	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe	83
PID 4608 wrote to memory of 1556	4608	Logo1_.exe	85
PID 4608 wrote to memory of 1556	4608	Logo1_.exe	85
PID 4608 wrote to memory of 1556	4608	Logo1_.exe	85
PID 1556 wrote to memory of 1260	1556	net.exe	87
PID 1556 wrote to memory of 1260	1556	net.exe	87
PID 1556 wrote to memory of 1260	1556	net.exe	87
PID 2416 wrote to memory of 1748	2416	cmd.exe	88
PID 2416 wrote to memory of 1748	2416	cmd.exe	88
PID 2416 wrote to memory of 1748	2416	cmd.exe	88
PID 1748 wrote to memory of 1552	1748	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe	89
PID 1748 wrote to memory of 1552	1748	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe	89
PID 1748 wrote to memory of 1552	1748	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe	89
PID 1552 wrote to memory of 2372	1552	cmd.exe	91
PID 1552 wrote to memory of 2372	1552	cmd.exe	91
PID 1552 wrote to memory of 2372	1552	cmd.exe	91
PID 2372 wrote to memory of 1264	2372	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe	92
PID 2372 wrote to memory of 1264	2372	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe	92
PID 2372 wrote to memory of 1264	2372	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe	92
PID 1264 wrote to memory of 4752	1264	cmd.exe	94
PID 1264 wrote to memory of 4752	1264	cmd.exe	94
PID 1264 wrote to memory of 4752	1264	cmd.exe	94
PID 4752 wrote to memory of 2964	4752	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe	95
PID 4752 wrote to memory of 2964	4752	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe	95
PID 4752 wrote to memory of 2964	4752	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe	95
PID 2964 wrote to memory of 2948	2964	cmd.exe	97
PID 2964 wrote to memory of 2948	2964	cmd.exe	97
PID 2964 wrote to memory of 2948	2964	cmd.exe	97
PID 2948 wrote to memory of 1452	2948	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe	98
PID 2948 wrote to memory of 1452	2948	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe	98
PID 2948 wrote to memory of 1452	2948	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe	98
PID 1452 wrote to memory of 5060	1452	cmd.exe	100
PID 1452 wrote to memory of 5060	1452	cmd.exe	100
PID 1452 wrote to memory of 5060	1452	cmd.exe	100
PID 5060 wrote to memory of 2704	5060	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe	101
PID 5060 wrote to memory of 2704	5060	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe	101
PID 5060 wrote to memory of 2704	5060	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe	101
PID 2704 wrote to memory of 3784	2704	cmd.exe	103
PID 2704 wrote to memory of 3784	2704	cmd.exe	103
PID 2704 wrote to memory of 3784	2704	cmd.exe	103
PID 4608 wrote to memory of 3576	4608	Logo1_.exe	56
PID 4608 wrote to memory of 3576	4608	Logo1_.exe	56
PID 3784 wrote to memory of 3096	3784	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe	104
PID 3784 wrote to memory of 3096	3784	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe	104
PID 3784 wrote to memory of 3096	3784	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe	104
PID 3096 wrote to memory of 2324	3096	cmd.exe	106
PID 3096 wrote to memory of 2324	3096	cmd.exe	106
PID 3096 wrote to memory of 2324	3096	cmd.exe	106
PID 2324 wrote to memory of 4844	2324	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe	107
PID 2324 wrote to memory of 4844	2324	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe	107
PID 2324 wrote to memory of 4844	2324	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe	107
PID 4844 wrote to memory of 2488	4844	cmd.exe	109
PID 4844 wrote to memory of 2488	4844	cmd.exe	109
PID 4844 wrote to memory of 2488	4844	cmd.exe	109
PID 2488 wrote to memory of 4628	2488	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe	110
PID 2488 wrote to memory of 4628	2488	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe	110
PID 2488 wrote to memory of 4628	2488	c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe	110
PID 4628 wrote to memory of 3604	4628	cmd.exe	114
PID 4628 wrote to memory of 3604	4628	cmd.exe	114

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3576
- C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
  "C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8B96.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2416
  - - C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
      "C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1748
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8CDE.bat
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1552
      - C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe"
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8E07.bat
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe"
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:4752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8F11.bat
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe"
        10⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a903A.bat
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe"
        12⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9172.bat
        13⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe"
        14⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:3784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a928B.bat
        15⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3096
        
        C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe"
        16⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9318.bat
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe"
        18⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9431.bat
        19⤵
        Suspicious use of WriteProcessMemory
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe"
        20⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a955A.bat
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe"
        22⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9654.bat
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:3912
        
        C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe"
        24⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a973F.bat
        25⤵
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe"
        26⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9867.bat
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe"
        28⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a99B0.bat
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe"
        30⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9A1D.bat
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe"
        32⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9B27.bat
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe"
        34⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9C01.bat
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe"
        36⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9CCC.bat
        37⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe"
        38⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9E63.bat
        39⤵
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe"
        40⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9EE0.bat
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe"
        42⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9F6C.bat
        43⤵
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe"
        44⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA047.bat
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe"
        46⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA0E3.bat
        47⤵
        
        PID:3908
        
        C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe"
        48⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA19F.bat
        49⤵
        System Location Discovery: System Language Discovery
        
        PID:3960
        
        C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe"
        50⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA23B.bat
        51⤵
        System Location Discovery: System Language Discovery
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe"
        52⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA2F7.bat
        53⤵
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe"
        54⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA393.bat
        55⤵
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe"
        56⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA46E.bat
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe"
        58⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA529.bat
        59⤵
        System Location Discovery: System Language Discovery
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe"
        60⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA5F4.bat
        61⤵
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe"
        62⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA6BF.bat
        63⤵
        System Location Discovery: System Language Discovery
        
        PID:3608
        
        C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe"
        64⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA76B.bat
        65⤵
        System Location Discovery: System Language Discovery
        
        PID:432
        
        C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe"
        66⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA7D9.bat
        67⤵
        
        PID:3316
        
        C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe"
        68⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA827.bat
        69⤵
        
        PID:408
        
        C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe"
        70⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA894.bat
        71⤵
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe"
        72⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA8D3.bat
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:3104
        
        C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe"
        74⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA950.bat
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe"
        76⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA99E.bat
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe"
        78⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aAA1B.bat
        79⤵
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe"
        80⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aAA59.bat
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe"
        82⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aAAC7.bat
        83⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe"
        84⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aAB15.bat
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe"
        86⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aAB63.bat
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe"
        88⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aABFF.bat
        89⤵
        
        PID:4088
        
        C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe"
        90⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aACAB.bat
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe"
        92⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aAD86.bat
        93⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe"
        94⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aAE32.bat
        95⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe"
        96⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB120.bat
        97⤵
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe"
        98⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB2A6.bat
        99⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe"
        100⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB352.bat
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:684
        
        C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe"
        102⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB45C.bat
        103⤵
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe"
        104⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB527.bat
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe"
        106⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB5F2.bat
        107⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe"
        108⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB853.bat
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe"
        110⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB8F0.bat
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:388
        
        C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe"
        112⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1720
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 184
        113⤵
        Program crash
        
        PID:2940
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4608
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1556
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:1260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1720 -ip 1720
1⤵
PID:3536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$a8B96.bat

Filesize
722B

MD5
85cdefc2de67c09679aa4e9489bc0950

SHA1
d1345ab6d99590c5fd91bd179c129e11d259ca7c

SHA256
f4c126e5bb6ed11fd23190ec6830c5ab0c9581151e0404376b40b66adfc2ed4c

SHA512
3bd0fe17f554d6b4ee770fd85fe7b965151cdc1f5c04cb46971c4f8b9adc755e9b1d881490cfacf5c04185fd4283797c815be5489c705ec04f01616a13ee3842

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a8CDE.bat

Filesize
722B

MD5
99e32b4017731ef78839d7399014ef17

SHA1
00b0364765e2bc016e35e05c011c2477f95406e3

SHA256
b8128b58479a7e2adc3a532245f0ab4c2572302d88512913f8320a87d8eaa148

SHA512
b10f29890c10937f35ac90aa0662c943bc6c3bb015e7eccf552d8e4a64814e2122aa6be71a514c60f3e7f416168d90ac60089d159e84fdf5c62826af4e03b60e

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a8E07.bat

Filesize
722B

MD5
a6929b1b2be844b1be5d6bb358419bc9

SHA1
1a3b7d56b3262177c4303d9d5748f070804c16f7

SHA256
8fb8ad7b293a86babc38d3ae42aec02a44fa2eaaf0d5680d065eca50c0a66a12

SHA512
836b225b983b9534f085bd19fc7402994c40a4f488ba714412403e1acc66d4fcb71a59b31ff782d4e9e42e07397832eb0673dd79318e284b763b67b675811b70

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a8F11.bat

Filesize
722B

MD5
6d59a56ffdeda9601dd12239f83cf95b

SHA1
63caea8e4ba0a12cf1abd5dd13480ebb77b78131

SHA256
e4bb97b5fd4f55bcdccd9d9194e43ad75bc4dee188e64f82a95fcc3af83fcd82

SHA512
b0ec5da5d6c1fe3b3083a6b6dcdc416164f63f5020fe091eeb868767c8d11d542311d373d30c0cbc9cefd6622b94ddaa1f4d6834b4f6b9ea33e88b0bab62c68d

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a903A.bat

Filesize
722B

MD5
942a243732d119e74280e1822cfb6e37

SHA1
28e5dc4d83d567010b264e38a636613e7dcf9283

SHA256
f18d65be115ad0e516b5aea9d2f1cee6b22b27764a7442469e0700e2f912beb7

SHA512
20f736624641828568566979704f6fee65b05c214509b1df50d59454e7ac0dce47e0252c53a82b5f6f53b4eb3daa44fcad5543e05fa58597934e1f25483a9441

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a9172.bat

Filesize
722B

MD5
6b622003ecf57fd9ea0bcf4c09bf5dfe

SHA1
d32d05373bfa9242a84e17a57b257a1a0fbc89df

SHA256
aaea09664e0373a7492d9e910caaf45cfc3666105a77dc23a7497ccedd34d2a3

SHA512
a138adb71f07152f77736038b8daf86d0c8a34cabdf6d1cfe4f65f3b684437677401fdcf06be62132d16a2461c348c3bfb4ae5a6a88fa6b80faf58b4d733dae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a928B.bat

Filesize
722B

MD5
154da22578d0c7f63d1df3984e2712a5

SHA1
81c2bb66eb2e960906b1779209146efd84b581d9

SHA256
ea6ce4d8ac249c4552fd1b9f55e71949b4e442762840cc87a220e2ede4e05a12

SHA512
57b63ff9db85a6c9ac48d1ba1ebb501aef5feea85bbc348def1df8e390f23e13a2c5445d31028afd6f6cf0accabad40efa98e3636e5bc7b34e60754522e662e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a9318.bat

Filesize
722B

MD5
54604e40af9d9d74774f1bbf8ac10e3b

SHA1
a68ef5c892a1953edd25886381dd6e6fcb91db67

SHA256
9c47eea1b0df904045e21ab54166f92e55b2a5f248ad09256a7c5ac4c6732903

SHA512
a64acfa4207426c6c98dddaf6e79fc37d2ec3ad3107697814072c2c011db246497ca2245f86515d084abed0c55ccade96057ccd99d3f4f7ae122848d8e69858c

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a9431.bat

Filesize
722B

MD5
4feed5566475687b97eda1a6c258c3ed

SHA1
f6d6c63ea5855b7bdf62f7d48fd4475930798d29

SHA256
09bbeb4173c6eea7ee3f7de9e2d73055786b65bd28f3763fa28e48f1c9429c2e

SHA512
0c45e5edb7a4074a354b32f931d73a6f2f20236158ebbb7e1e555154adaf385bf78313af412ce22910e8e6588a7ba52ff993426f8e5e9dab552d0f4ba13a2335

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a955A.bat

Filesize
722B

MD5
cd9ac44f98b4e278a0449f83a98035f3

SHA1
27e90fe6532b6f9b933f8bb22f8a09e793528b06

SHA256
15c7f91b7917b10a065eef3d48389733074c0fb778c247444a3af0dcb15e9cbe

SHA512
b97a44b10eb6d2cf0e3b8d773a202d6f487bbf1c6ba4568dc37f499bfb6bbca0b824eea8061017e1449603c96ef274dd18b63e7f747b906cd8d5243fcf5fd303

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a9654.bat

Filesize
722B

MD5
1fe67c9cd56cfc40c6199dd0126f8cc2

SHA1
5285c1993b2b4b333e4ae61092d9070c3b444c09

SHA256
4b8a7833e5ff9f93036732e76ae792e11f83570a1a5b56ebe9dbe3666bcaafbb

SHA512
e7eb00b3dba757ce8efbd0c7fba740f20b6581d711f2ec725a2c962ad92f490f858b3defa8448599ea99f99ffa028f7ec75edc6c52b41f2a45310954e4904c8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a973F.bat

Filesize
722B

MD5
02ff96c7506c66d13c6af13ddb0a2e39

SHA1
fe07dfc196cdc324e30c819375ac5dcfceaba762

SHA256
7dec1fd3b4aa82b81a021181a9bf9c5b8f36175454ae399f180207d04d32d2e1

SHA512
6681c78da7cb4722c38821d21e648326e1aef214c58a61aee19f6ba591aaace3dc6f40ad5a35b7b9275fbe2f76f8e87386804f2baf26e327adde02c6ca502a5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a9867.bat

Filesize
722B

MD5
6119acb958f26c1b7fd073f0de34ccb3

SHA1
ab932de66a407088be6a47b6c088a695d199ee08

SHA256
5c659f63a0d21fd77b8ba894ab0b0bc3df9cdf2955f5b41ad9066af253555588

SHA512
b8cf676cb340517822a6e9e2056b0e8f75f2b227c2420adb0804132c1ebf11b6cc7a37f8a5ca8a019d5a3c40fa1852a43becf881043de2f2613d2e65e58e95cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a99B0.bat

Filesize
722B

MD5
d8b14cd5e29b0d06812fdf1d47d4555d

SHA1
9036bf229b108913d989632bda8a1f7fa8aeca8c

SHA256
0662ff2d6ab8506121658f22d309314742357c4e845f11f8eb3b529d7b169652

SHA512
cf805c0cbaf09bde2fd1c4a3112716ab8871100ebf09b8a7198b5cb88a05d1e20f00e6474e7ae2164f173a964fb188d5153edc9f7c7072e615943def1d4c0ebb

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a9A1D.bat

Filesize
722B

MD5
bc4d735a197eaa8f0800bdc21b25a6ab

SHA1
e46fc6c6ce33e2381b46d07961fe495b458656db

SHA256
55ca29351b2b7f07e480ea05b4b72d65004c12facc1f955572f397890efc25fa

SHA512
f244a9dce31daeabaf68c9175af6e2228d1cd9d6f3f97ee694c60624cde2482023e195c429a6876d77e3d1caf7d64b6619c038a5a4d73b8948901420393c93d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a9B27.bat

Filesize
722B

MD5
e2004bfa48304cf77bf423c8eafeaf54

SHA1
4984b5b386157f807259b8b22e3d5809ca23eaf8

SHA256
89f3325b368fcf48540cce615c2226653a52ab54eef594e596f4eb00d36d6b6f

SHA512
3c005f536e74e5adce10be2218b23790d2a35ff19256c5fb2ab0b70b7f4b1dd4102d8ffc41336fe3ede5f824d28148cdce32b97c4935a20c56dc7b85ea2bb3fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a9C01.bat

Filesize
722B

MD5
c1060c4132843259031563f5cd58ccf6

SHA1
b5f29b1af7795bcf5669db1b80bd7af3608a7243

SHA256
f50700a776c574dc3855bfef1e1722d0819d56d54c5a9d86e2e3711aaf0b17d8

SHA512
f239ed0098c125d0fae2f0ab840ba47b8bb23ca37118ce5cb80c88c5b08755f166b4ee1eee8ea5001c0158d625444e5160ac7de35e4150e86780c91c76f308d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a9CCC.bat

Filesize
722B

MD5
13935995711397c15b919ef8b4d852a2

SHA1
8ba451ce787b11fad597bee395d90ceece25d713

SHA256
7e363add3c1ff5d261b48b0bf79789cb4392b818e34fd74e4eefab1942e9a305

SHA512
ed1e0742703540dea6ba34b35f45e042941cff63554fcfdfdca96a5b34ad65e8ec04afe1f98565fc5b5eb82c94f6a3e508b578adac821e6d32de7db1df27e760

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a9E63.bat

Filesize
722B

MD5
276b97030def39cbcc4a9c773a00a895

SHA1
0bec7dd0b4154b540bc952ac2be128697e2f3525

SHA256
c185fd603e77338f6783d5b5a5bf30ac1b1368a1a4eb52926f1d5642b91ab1cd

SHA512
5944ad3c10c1c8915101c81c5bbbf8be2d38b656bee4b81791a686234cc01012e215db585cace861581b4e32c9d211f5209148ac42601b7a1c373ebc1cf50d40

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a9EE0.bat

Filesize
722B

MD5
f4f8e0291cb6c6be2e1033bfbb77c098

SHA1
776135d11859e1d481060412eaac6499625f102f

SHA256
fc8f1e51a3dc0c602ee84d41a1d86fd7cfb12ceffad3fa96ff2fc6c124c1cf79

SHA512
f66b9f4fd6163b055edaebef02e4faa201af1c6f5f276650db67d00ebdb39bfb10d305d6a6878a9f97d2e0e380bdc7d6a18c8707daafe5cc9eacac5c8679bd00

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a9F6C.bat

Filesize
722B

MD5
dc4540942128592eb1f4da6ea37da69c

SHA1
aa3ecc21332a69ed2f88191aa4f98ca07d39dabc

SHA256
bf546c90b8b5ce93ea718422c058c1746f14c6a88f88723a9eaf1e04716a00aa

SHA512
aabb53b73105140fe45cd91f1600f3fcf7f04396907ca7c740315ab7a92b6819d7db5a744f1d24dd52063fbed7298ac652090e4af546a749db1695c7d6e8fcc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe.exe

Filesize
2.5MB

MD5
082e82ae38f578da89a8fb10407dd43d

SHA1
efa9c8f351a27e0534213096b10e43468e69f4fe

SHA256
7a0e4349ed98deafa6f26ddd1289a9c671fbbcf2f8d3fdfb45acfe809e89f0a7

SHA512
be73b48aed9fbedf424c65cd5c6d83442f628205856364ed57d5eaceda20ed852d613456e376e7fd85c17bb9be533e6695894af0578a6625788b80069ac6a23d

Download Submit
C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe.exe

Filesize
2.5MB

MD5
2d8020710bd51a9280bb8c23c28bff6a

SHA1
3b6ad35921dd59358b04ec304b922a7aaa2149e0

SHA256
c58bcec14503c2167a549ddec40418a4151c1624287f76961539d66e52bc7146

SHA512
d7e146017539111d7f45efa9260d3ac12840ec34574ed6512a3c498ff368eabfe68ae5117c34207170057e81361daceda7ece2c48b25642dc2ee33b82b0b8b6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe.exe

Filesize
2.4MB

MD5
58231e8a54a4d5ad10981a9261d6df2f

SHA1
79fd962af3dede9832de8856fb96b7723cc2ef09

SHA256
1a2fd6986c0d5d25002b7ef2ffdeab383f7cb19ead19248c7207e5d26bd67f99

SHA512
7e53168e58d3c2d8472a589a711366d932f5295e330544b6ded5a32e44d857f823465ef572ff5d2145ebb5e9d597913c91b6e798177c8d81876bd63eaadb94e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe.exe

Filesize
2.4MB

MD5
3baae1aacb86eefd1732edd07f95936f

SHA1
e8e6b0b06ebae55a45c6405e27d131076b280208

SHA256
055e7eb2f930f945226daf682591695c6895cfc321c30a1ed1c580d3addcec25

SHA512
3a8d665f83c8ce15e4f093bdc10ed4388d8ce603c8f6ea41741f56909659afd46ef8a1bd9d49e065e9a7abe5f400f0660aaaff1956b26f6b1abb7ca213f6d752

Download Submit
C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe.exe

Filesize
2.3MB

MD5
ead3d576cab6bb3e77414935b36ace66

SHA1
e347ab64ced05a4e50b4905cb800147620a18e6a

SHA256
5600effef951ba7fa3bed54b59a857bc26814b45e68c7462f67b1714258b73f5

SHA512
38fd77828d2d8796a33b52e0b57cefb792064a9cef691c8dab97331321a3b3eae6a7c0918c3617a00bab16a686f52c9296ffb022d2b78bcaaa51e9cd1146112d

Download Submit
C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe.exe

Filesize
2.2MB

MD5
14b760d79bf066c92c043709056178ab

SHA1
153176def6ae9b5e3db4a1d70d30a65d315d3276

SHA256
b410192124d4903c587feeb9837753fac84c61209f3ae1d0b79bff93de82d2d2

SHA512
2d66ecf676de0fd9b18ad3db0ed2b4dbb3ab1a88519303155af4a396bde4ab900e0c7891de96d93037669ba16f76d6bd8cd21b0cf73737a65bb5bca422a9c355

Download Submit
C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe.exe

Filesize
2.0MB

MD5
6f1ffe9f3e17d6f1cda7e625d1b89b9c

SHA1
6c2e76cdf67bcdd5d4a354f319ab529586130cae

SHA256
ea51d7ab1e6a2d2aed2aa02c1a1088c30ea53afd8579be36f20b79e7e4fe74e7

SHA512
edb3d591356d6d2963f61dda2678d579df61366d7502b5e4d8d54e8dc7c1bfea167a77745d9a8eb0019be5efc41032bc3369cac2070531a565d71574de0757f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe.exe

Filesize
2.3MB

MD5
ee5224c7af0ca448809311f5d5d0ac92

SHA1
6e9d7c7b30a008db94a17f40bd0df234b34b035e

SHA256
1e631817553d5d6546691864c336086c6e6158b7031d93abd85b7be28f952e95

SHA512
46dd8f473c8b28d152d9d176b2f7c3e670c61f58eda2ab21a6e5fcfd328fbb57ca57d38419e5228a2db8057bd9c53048650985bde5d2f0106d53c1ce0dd4ff19

Download Submit
C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe.exe

Filesize
2.4MB

MD5
ac788323972e7ee7243e740ff2f8daae

SHA1
6acd6d700849ca9ad064481461f4b7988dab1945

SHA256
5e7a0c5ef3211fc58e0eca20df194b478942534d5968441fc354686ba7222ebe

SHA512
ba1e52d4d8ea9400b359ef4982504010bd12a007d174ac86187050368c03b78e89b51324429d909741e4f1598be2eab28d0b400f0698b8e085f12beeb6921778

Download Submit
C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe.exe

Filesize
2.1MB

MD5
7b781c296c9518ce7e93f77b8fe3bda3

SHA1
124bd189e2510f852183f51faf67278c8cd1b2e6

SHA256
c50db397ecab6ee6a577d51d1f81d51cb99b2ce149797c8d8c0d59882ab2a7d6

SHA512
24be4115fa2230e35649dce2d1536f25f3df3a7192e530a87cdda00393f1de715264acbab98c745ea7f65f64ce713d01598ed031ada25a61c66a830b2e872c1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe.exe

Filesize
1.9MB

MD5
66c74ff5a6fd63536d9510a0ef504561

SHA1
6b34a7e9fb3e220899f77b76c2b26db3e8fa175a

SHA256
535c14bafe9e75f724fae0480e24d0be0c801dbf1d2b81d9d300abbdc7eac326

SHA512
12ce8aa2c0f55fe69d865473580953748bc479e5970b3a82ac673aa2020f89b89ded1ace166f3e5a95138fe996f3f6f804b69a81424404db706527543df865e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe.exe

Filesize
2.2MB

MD5
0655f93740d40e73a63659f993376388

SHA1
84e3cc33c3c25c26392128ea0dc5062cbc89c8ed

SHA256
e5301178fee0cf24e3a15b43642c7d1da8ebe5e945cdeee6e4688d9e72f82b15

SHA512
91e7b34f63c9b4a3a9077462254238d4024553fe189d598f8ee913ef2f45293472e3244870659e88e33beddc184ecc48e1812ac9a912d9bc9fcf4fd5b9c12ed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe.exe

Filesize
1.8MB

MD5
f7bd915047964c6345eee588679d3f6c

SHA1
818772db9065eda9a6ccd20eef06d5256280e17f

SHA256
41195da017d7dfd1fa24158fecf3a1a93c7b1e84f8fe3c621e4f9f73949f8327

SHA512
301ac44daf8b6121b70c3bdf106b6e15af2c8727c91ec81a595186614ad3f1b4cc431d254dd59564ed84abee23883c25bed5e9233b2dc20c6fcb0393e7bb6585

Download Submit
C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe.exe

Filesize
2.1MB

MD5
286dfd9e19e5bb83a98ac2b2e20a7403

SHA1
f4ca430d2669af6a56f89a1c3adfb6cca459cc60

SHA256
060afb27e8d052abd7965c922e4b826e3325db24646037b3dd6b92aad77f1858

SHA512
45742bbb0017f2a25b4ee773504a7369b5d0d454bb570192fb05e4747d80ab0240f99bbf2c8484ccfa44978db1b3c815c378d0efad66bf6161b67639c81f716f

Download Submit
C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe.exe

Filesize
1.8MB

MD5
ef5ec16ae976ab4940243d706ab9a235

SHA1
d9c291d767481b73cd38f29d2821a45b886ec05b

SHA256
36c11124fb05c4fbe69e5ee1b57b4bb12438704b3c98f91e482e993806ddcfda

SHA512
271f4f640961dce4b7df29485a41f59c9d1bc78f55e1f252da4ec4814b59fb8a5a55d7dfbe228c074318807078ea94290b5c89c88191d23ac88d8d0ea020eb80

Download Submit
C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe.exe

Filesize
2.1MB

MD5
9b6b7050405a5f58449bc2939acf98ef

SHA1
4e5d761679c6b602cb1082f9264a4a332d524efb

SHA256
5d5d2ef460f6be067a1cb5a15f116ddd5bc66e6c687d3c65b8777fce2fa5dd41

SHA512
1b3624b711aa854d28f0d3e37e0e83fb5e74c7a57e13c52823b33ce254a7003516e46b4383201ee397c1fbfb472c5ca183fd9b994b0929e746cb6caf317cc55b

Download Submit
C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe.exe

Filesize
2.0MB

MD5
760a878c0062e76cd1c4685ff30ecfca

SHA1
1c6c49bea462a0a5eff52c635f606f5e73bcfb7b

SHA256
d5c8b63e8e9b41355232bca7a5858058b489bd439c8d3d446c9de098dde7e4a1

SHA512
ae861a14a1302a63e28dd94014b2ddd4a2335e0656d31fda3ef30bb6c435a6a6c2138bbbc616aeb7fd0fad5d5d63a504ac34ff193f0ce54b0e539490c53ab0ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe.exe

Filesize
1.9MB

MD5
e306a7fec9113e90189084cb07499334

SHA1
6c12e3ab33c22293a6a996a1a154b6919b3a4adc

SHA256
dd2728054713339202299c7ea5c925f0e013a109606d634d7f5f1a78c3bf9294

SHA512
769d475e6367e75bfdd1988c0a381ddb015ada030fe3240adcf9e7d4218a2be681dccb3db80485761576499b64c90630c08d43c872ddc8c45ef525b19f7a6afa

Download Submit
C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe.exe

Filesize
1.8MB

MD5
819c835041cf406f61377f3f434672ec

SHA1
6b69fd7f0163e338e26f8548657cd8f02d6bd783

SHA256
d8fd9cab261550edf66e0ada7109a321765e645a1122004f6661f86092ede187

SHA512
81045de8da7a5d12bb8751c1860de2412416b7aebc6bfce5231bdb91b1fa5eb0b7b82e49f1dd1a4208c8f7b9909adee09fb9e7096f49695ae8658189903fdbfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b.exe.exe

Filesize
1.7MB

MD5
22ed0526ac6f69992e23505e8d7dc004

SHA1
af3cbe14fc0c4364bc499de1fdc243d252c81d38

SHA256
2bdb0cf8c704fc2c96c7ec9dcf60190f59bec6cb814adfbb430a97dd1391bb53

SHA512
fd7fb5699e48bfc2ec446ec732f993452f831df6567f976ab5ebac40392ce13a038a705a0eafe65104f4c2eeb5a60bd9a0975b6613ddb78d709b1219376ee5a6

Download Submit
C:\Windows\Logo1_.exe

Filesize
44KB

MD5
6d85a04f5bb329cbba3880c43337ec52

SHA1
8c2e62f730619b2e06a5fb802e115606b664525a

SHA256
ff95e5e3fea6e5f9692d24c81ab36bae1013658a34bc60cdcd9b4c591e7feec1

SHA512
31919b83c1b66e4eb99612c6b23a7dfc1cd107e51e3178bc8fb695c8243d7493f43b05a4ab8d0880763aa584ccbecdb1b61b31f0a66d8a92938884b9ef04daf8

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-523280732-2327480845-3730041215-1000\_desktop.ini

Filesize
9B

MD5
888e0958022ac10e914e1c9ca3f383ab

SHA1
37d80b3ecaacfed7092fcbe70d7c1000a5246e09

SHA256
627942d6123a7fed1e8414a3d46906af51b7c5f06837df6d288707d29a84e1a1

SHA512
a643219412a29dde13c4d0a9619dbdea00193e91276e163edf546f3392c704a8c2936a2c27d2a0206bfc3ca592d7d79be849c51a1d9af0e4d237cd3dc47eeec4

Download Submit
memory/232-1991-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/468-118-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/864-2293-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/912-1971-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/928-1975-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1172-169-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1260-148-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1296-435-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1336-125-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1336-526-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1440-296-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1688-2499-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1720-5536-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1720-5978-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1748-20-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1908-1983-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1972-132-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2196-141-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2196-11-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2196-0-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2256-1955-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2304-4567-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2324-65-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2372-27-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2488-78-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2584-2121-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2704-1987-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2916-1615-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2948-43-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2948-1766-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2988-1959-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3008-1963-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3104-162-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3164-1305-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3336-1115-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3436-4316-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3496-3608-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3496-729-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3504-893-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3604-85-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3784-58-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4044-2784-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4112-1909-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4268-111-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4300-1951-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4368-93-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4416-100-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4472-2655-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4508-557-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4588-1967-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4600-155-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4608-8-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4608-9060-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4608-3718-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4608-92-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4672-5530-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4676-3780-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4752-34-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4856-1979-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4928-4100-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/5016-206-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/5060-50-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/5084-5531-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/5084-5535-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download