a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf

Analysis

max time kernel
141s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
20-09-2024 18:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
Size

2.6MB
MD5

c1fe2f5aa024333c9e16b50f567e7edd
SHA1

f0e1e898af04b82b45c24d5350c2afe7f9d2e2d3
SHA256

a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf
SHA512

554b72d82a6a329957070dadfc38253899044de67c9d6bd4f27cb9531b097fe1897b6345be2360a76c8a76a6edd780b71c3e0deccffcdec2e76f8cb6880b6f46
SSDEEP

12288:vj7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7j7:/cX

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe

Deletes itself 1 IoCs

pid	Process
2440	cmd.exe

Executes dropped EXE 57 IoCs

pid	Process
2720	Logo1_.exe
2592	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
2316	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
2540	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
2948	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
2264	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
108	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
3068	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
1472	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
2464	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
860	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
2940	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
2836	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
2020	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
2276	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
2508	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
700	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
1972	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
1940	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
3044	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
1152	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
688	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
2964	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
648	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
1228	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
2044	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
3036	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
2608	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
3056	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
984	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
3068	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
2496	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
1976	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
748	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
2432	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
1964	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
2940	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
2440	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
2640	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
2144	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
2784	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
1336	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
2612	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
3044	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
1720	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
2308	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
2540	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
112	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
2016	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
344	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
2284	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
2204	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
2640	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
1432	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
1812	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
812	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
1672	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe

Loads dropped DLL 64 IoCs

pid	Process
2440	cmd.exe
2440	cmd.exe
2200	cmd.exe
2200	cmd.exe
2944	cmd.exe
2944	cmd.exe
3016	cmd.exe
3016	cmd.exe
2912	cmd.exe
2912	cmd.exe
3052	cmd.exe
3052	cmd.exe
2092	cmd.exe
2092	cmd.exe
2108	cmd.exe
2108	cmd.exe
1512	cmd.exe
1512	cmd.exe
2184	cmd.exe
2184	cmd.exe
1628	cmd.exe
1628	cmd.exe
1256	cmd.exe
1256	cmd.exe
2632	cmd.exe
2632	cmd.exe
2488	cmd.exe
2488	cmd.exe
1296	cmd.exe
1296	cmd.exe
2796	cmd.exe
2796	cmd.exe
2956	cmd.exe
2956	cmd.exe
2480	cmd.exe
2480	cmd.exe
1512	cmd.exe
1512	cmd.exe
984	cmd.exe
984	cmd.exe
840	cmd.exe
840	cmd.exe
2872	cmd.exe
2872	cmd.exe
1044	cmd.exe
1044	cmd.exe
2396	cmd.exe
2396	cmd.exe
2252	cmd.exe
2252	cmd.exe
1844	cmd.exe
1844	cmd.exe
1120	cmd.exe
1120	cmd.exe
1916	cmd.exe
1916	cmd.exe
1268	cmd.exe
1268	cmd.exe
2944	cmd.exe
2944	cmd.exe
2992	cmd.exe
2992	cmd.exe
2728	cmd.exe
2728	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TempCom = "C:\\WINDOWS\\FONTS\\EA81C.com"	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Games\Solitaire\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pa\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\misc\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Journal\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\eu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\an\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\el\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ky\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Uninstall Information\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Defender\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Solitaire\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Indiana\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Internet Explorer\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Media Player\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Mahjong\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cy\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\lua\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_out\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ja\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lv\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ne\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Chess\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Internet Explorer\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\server\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bs\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\intf\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\css\_desktop.ini	Logo1_.exe

Drops file in Windows directory 61 IoCs

description	ioc	Process
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File opened for modification	C:\WINDOWS\FONTS\EA81C.com	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Dll.dll	Logo1_.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\rundl132.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\WINDOWS\FONTS\EA81C.com	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
File created	C:\Windows\Logo1_.exe	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2236	2720	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2056	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
2056	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
2056	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
2056	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
2056	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
2056	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
2056	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
2056	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
2056	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
2720	Logo1_.exe
2720	Logo1_.exe
2720	Logo1_.exe
2720	Logo1_.exe
2720	Logo1_.exe
2720	Logo1_.exe
2720	Logo1_.exe
2720	Logo1_.exe
2720	Logo1_.exe
2720	Logo1_.exe
2720	Logo1_.exe
2720	Logo1_.exe
2720	Logo1_.exe
2720	Logo1_.exe
2720	Logo1_.exe
2720	Logo1_.exe
2720	Logo1_.exe
2720	Logo1_.exe
2720	Logo1_.exe
2720	Logo1_.exe
2720	Logo1_.exe
2720	Logo1_.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1672	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 2440	2056	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe	30
PID 2056 wrote to memory of 2440	2056	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe	30
PID 2056 wrote to memory of 2440	2056	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe	30
PID 2056 wrote to memory of 2440	2056	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe	30
PID 2056 wrote to memory of 2720	2056	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe	31
PID 2056 wrote to memory of 2720	2056	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe	31
PID 2056 wrote to memory of 2720	2056	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe	31
PID 2056 wrote to memory of 2720	2056	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe	31
PID 2720 wrote to memory of 2280	2720	Logo1_.exe	33
PID 2720 wrote to memory of 2280	2720	Logo1_.exe	33
PID 2720 wrote to memory of 2280	2720	Logo1_.exe	33
PID 2720 wrote to memory of 2280	2720	Logo1_.exe	33
PID 2280 wrote to memory of 2864	2280	net.exe	35
PID 2280 wrote to memory of 2864	2280	net.exe	35
PID 2280 wrote to memory of 2864	2280	net.exe	35
PID 2280 wrote to memory of 2864	2280	net.exe	35
PID 2440 wrote to memory of 2592	2440	cmd.exe	36
PID 2440 wrote to memory of 2592	2440	cmd.exe	36
PID 2440 wrote to memory of 2592	2440	cmd.exe	36
PID 2440 wrote to memory of 2592	2440	cmd.exe	36
PID 2592 wrote to memory of 2200	2592	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe	37
PID 2592 wrote to memory of 2200	2592	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe	37
PID 2592 wrote to memory of 2200	2592	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe	37
PID 2592 wrote to memory of 2200	2592	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe	37
PID 2200 wrote to memory of 2316	2200	cmd.exe	39
PID 2200 wrote to memory of 2316	2200	cmd.exe	39
PID 2200 wrote to memory of 2316	2200	cmd.exe	39
PID 2200 wrote to memory of 2316	2200	cmd.exe	39
PID 2316 wrote to memory of 2944	2316	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe	40
PID 2316 wrote to memory of 2944	2316	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe	40
PID 2316 wrote to memory of 2944	2316	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe	40
PID 2316 wrote to memory of 2944	2316	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe	40
PID 2944 wrote to memory of 2540	2944	cmd.exe	42
PID 2944 wrote to memory of 2540	2944	cmd.exe	42
PID 2944 wrote to memory of 2540	2944	cmd.exe	42
PID 2944 wrote to memory of 2540	2944	cmd.exe	42
PID 2720 wrote to memory of 1200	2720	Logo1_.exe	21
PID 2720 wrote to memory of 1200	2720	Logo1_.exe	21
PID 2540 wrote to memory of 3016	2540	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe	43
PID 2540 wrote to memory of 3016	2540	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe	43
PID 2540 wrote to memory of 3016	2540	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe	43
PID 2540 wrote to memory of 3016	2540	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe	43
PID 3016 wrote to memory of 2948	3016	cmd.exe	45
PID 3016 wrote to memory of 2948	3016	cmd.exe	45
PID 3016 wrote to memory of 2948	3016	cmd.exe	45
PID 3016 wrote to memory of 2948	3016	cmd.exe	45
PID 2948 wrote to memory of 2912	2948	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe	46
PID 2948 wrote to memory of 2912	2948	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe	46
PID 2948 wrote to memory of 2912	2948	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe	46
PID 2948 wrote to memory of 2912	2948	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe	46
PID 2912 wrote to memory of 2264	2912	cmd.exe	48
PID 2912 wrote to memory of 2264	2912	cmd.exe	48
PID 2912 wrote to memory of 2264	2912	cmd.exe	48
PID 2912 wrote to memory of 2264	2912	cmd.exe	48
PID 2264 wrote to memory of 3052	2264	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe	49
PID 2264 wrote to memory of 3052	2264	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe	49
PID 2264 wrote to memory of 3052	2264	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe	49
PID 2264 wrote to memory of 3052	2264	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe	49
PID 3052 wrote to memory of 108	3052	cmd.exe	51
PID 3052 wrote to memory of 108	3052	cmd.exe	51
PID 3052 wrote to memory of 108	3052	cmd.exe	51
PID 3052 wrote to memory of 108	3052	cmd.exe	51
PID 108 wrote to memory of 2092	108	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe	52
PID 108 wrote to memory of 2092	108	a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe	52

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
  "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a7224.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2440
  - - C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
      "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2592
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a74A3.bat
        5⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2200
      - C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a7704.bat
        7⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a7955.bat
        9⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        10⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a7AEA.bat
        11⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        12⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a7D6A.bat
        13⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        14⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a7FCA.bat
        15⤵
        Loads dropped DLL
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        16⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a81BD.bat
        17⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        18⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a83D0.bat
        19⤵
        Loads dropped DLL
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        20⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a85B3.bat
        21⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        22⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a8871.bat
        23⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        24⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a8A26.bat
        25⤵
        Loads dropped DLL
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        26⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a8C96.bat
        27⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        28⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a8D51.bat
        29⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        30⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a8DDE.bat
        31⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        32⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a8E99.bat
        33⤵
        Loads dropped DLL
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        34⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a8F45.bat
        35⤵
        Loads dropped DLL
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        36⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a8FF0.bat
        37⤵
        Loads dropped DLL
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        38⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a907D.bat
        39⤵
        Loads dropped DLL
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        40⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a9109.bat
        41⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:984
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        42⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1152
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a91C4.bat
        43⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        44⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a9251.bat
        45⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        46⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a930C.bat
        47⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        48⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a93E6.bat
        49⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        50⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1228
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a94B1.bat
        51⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        52⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a956C.bat
        53⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        54⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a9637.bat
        55⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        56⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a96F2.bat
        57⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        58⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a979E.bat
        59⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        60⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a982A.bat
        61⤵
        Loads dropped DLL
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        62⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a98D6.bat
        63⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        64⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a9972.bat
        65⤵
        Loads dropped DLL
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        66⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a99DF.bat
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        68⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a9A5C.bat
        69⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        70⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a9AE8.bat
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:668
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        72⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a9B55.bat
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        74⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a9BC3.bat
        75⤵
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        76⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a9C4F.bat
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        78⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a9CBC.bat
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        80⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a9D49.bat
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        82⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a9DB6.bat
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        84⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a9E61.bat
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        86⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a9EDE.bat
        87⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        88⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a9F3C.bat
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        90⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$a9FB9.bat
        91⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        92⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aA026.bat
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        94⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aA0A3.bat
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        96⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aA110.bat
        97⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        98⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aA19C.bat
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        100⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aA219.bat
        101⤵
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        102⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aA2A5.bat
        103⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        104⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aA322.bat
        105⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        106⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aA38F.bat
        107⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        108⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aA3ED.bat
        109⤵
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        110⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aA479.bat
        111⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        112⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\$$aA506.bat
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe"
        114⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1672
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2280
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2864
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 592
      4⤵
      Program crash
      PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$a7224.bat

Filesize
722B

MD5
f3a1543540ca913f0244cabadfa9d1ca

SHA1
734bffb29d5942c0e22604b4cc6d4236acddd5f4

SHA256
b669ff0656343f7dc4fac6b3460a70f6908f37c0fd3589e8441d73bd436764fd

SHA512
ec4544c83299af4b41b0fedb225db4aaa5908972996401a39f4dd329498992585b21b0680c2174246823506e9a9682ff5af40cfeb5ca5e0c6dbab51e192aa0e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a74A3.bat

Filesize
722B

MD5
eadfec062b167d10594875ac04e5f27f

SHA1
0bfcccddd995e76cc952a5b4c8ff8c0ac14ff278

SHA256
a788585878b39b13b50fc98e90665f9ac22a882d9007cd969b781a968dce61c6

SHA512
158744e467aff154fb2af96d59c763d4ba61a8bf19919babca2a6103271bf45e4c1ebab7c031be5887b4b651aca537604e37909fea12510b4306cf28fa1c699f

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a7704.bat

Filesize
722B

MD5
29fb6532339677cb6641179a514b878d

SHA1
06ceb6fdc537f244a0c3ef1645094d71da50161e

SHA256
f7f08a5f4e4400036cde7e4e325bcca591d7fb25b82adf5620da9c6712cb7804

SHA512
42b910f7336cf490913322a37a557e9335cb0cd8257e52a27a3e669925d7f18cece84920327665bd2573a6716403cae5e0d6dd9f97407af9b6dc72775ca1a56b

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a7955.bat

Filesize
722B

MD5
7ef4d44871764fbd2bf7d3bbaddfdf6f

SHA1
637eb5b140a04abb179bf708ff4632048370d894

SHA256
fa7dc6d0d72f19f8e709a3fa9e0fc0b7c5f7da3701b5350511ec6ef12747eeba

SHA512
e9efb58eb568fd0fa3a48ee22d4aa55e8757d8639bb69306774aea05d186c60509cd8bab1acbdf7411980ca1d1b8851f454a04e6cc7e31343603c325d80a2cc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a7AEA.bat

Filesize
722B

MD5
810555400c40fb3d2a089e80a720d919

SHA1
1f59bf66bd8d0343bd8b0162c375b31caa29074c

SHA256
948ec8be5cdcca3e7ff568d4eab11fe81ef5c6f95fe818b96fee8a9e099f7f88

SHA512
a23f3b3116b53ac6fec51055e2ba8a290b34140750414eb7235a152ed1c7e1e33a5d466c11affac4d4c52e07ae50243b3f5e20f6d3b9b198d61f4e06a1888605

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a7D6A.bat

Filesize
722B

MD5
b91938c72a20913726d87699a7b7f503

SHA1
250261baf28cbc63eadcf0988094b3ab7f2977f4

SHA256
4fac2cb2e13b76ae8de7e0d6b27937fe21551ea6c621be06b293a5d0bfe22852

SHA512
4ae7c5158ab838de56758741e6054ae0ceff1f82a301c615b58b19e6f2076ad4ab5d01ed1cb24a329e64823a4dcf9046048a234e3f10363eba5ac47946a8ba9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a7FCA.bat

Filesize
722B

MD5
8c3b682bd77d1447d95834fc165ce985

SHA1
f985bebc9ff3ac7a02d46433ade55ca8ef9cf994

SHA256
8bf7b926cb480628452b080184ed6d03237b67bb3b392d20efd708e179ef580e

SHA512
dce6ebc6f6ea981be0c14cde81f77da234773abf46852c310c0d8316b95bb194cc54d6240e3eaf324eceba379000b6a921a768808695709d5afe9332bc9b097d

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a81BD.bat

Filesize
722B

MD5
3b48f055d60c80b9689f26d82e1f0a87

SHA1
e463b0649c3f60c3ca9426c1345cdefa5f7e6d2c

SHA256
e4b52f54707f840299f715dd449bc738a104c26972472d3f9ba84bc681b331f6

SHA512
b961b91f7ff6a0342876a94c82cebf6fe3948e430fb839a9eea3631f378801011012501e11bc3400139e67f749ef6ee8c3193a14646531baadb2b32c6e2b5284

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a83D0.bat

Filesize
722B

MD5
f0ddeb455505170bce6aceb3724ddf0e

SHA1
84a11fd61a3f3618749d095ada5aa62212b679dc

SHA256
6e5d687a6db2ad57f613b318945a392ed3842a1ff8f096b268f3efa84ffa934e

SHA512
5f081ea151032b7acff5a8b865ed3ccf161d2c7e98e5e9d772b20c153b7702429e35ea5934c479a1873cf1d0339a93e9f8e458076c53eeb401b9fc2867fb7a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a85B3.bat

Filesize
722B

MD5
be21b1b29c4932d4f18455da631ab756

SHA1
64dd0e64aa8bbadcaeb6ed9441277582b8417756

SHA256
90eb229f926fa9b4f3e948a34dd77de610a2fb7cec9f86b7b3fe0afbeea641e6

SHA512
3a2d7a5df0bac92001b095292b81447ea24cfa8f736d722496bc2347a097707708d2ef24f293eb7c2aef20b7f4c0454d3872e3bdf667fe8f68dcc5c088868aef

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a8871.bat

Filesize
722B

MD5
9213afc731404d769a67db71a2312e77

SHA1
c3fe938016abf8c7b5893636fb6944ddf2ec7b6a

SHA256
9a847d2625e0c8b7d277e8abb7e217f8c4f3984729ee9f1c040e89da39f60fb2

SHA512
ab92f729f826011cb9a5f28005bb3dc719ec4d32da3dfa3ec3eb5f8b6e9b8d88f6d329d1ca24391953d8a5952cc70e6e74e3ca053b0f501d742eec243a1059e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a8A26.bat

Filesize
722B

MD5
3a7e433bd931b4a8f282aa99fdbb9dc6

SHA1
c6f047463b13647a596a3229a7581aacac860fac

SHA256
1a39fabe502af02f40d8c45d2187aea4e2d3ecdab26ce794b3e71cc83e96f94e

SHA512
efd4b7d69f8ce1fd15e55de13179fd5d5279b9d52d09877da68e85bd431d433f20358f37fd59479685fde186b0c26ac85d454708a715195cf78a02c4cc001cdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a8C96.bat

Filesize
722B

MD5
22d22a6d5d9a39df6476f9c1a0e559a8

SHA1
c1de8a0ce4a929304ada5363d5aad3414a519b1c

SHA256
769ae2b0268e5895fa2b78b293ca93dc537d88fa6d85f4d05090ad3a9018d369

SHA512
12b64f92c5a45d27ec43e9969ef2ae9028ebd165fbe5e59720eb26bb324819231bfcb654bc08c1bb6b1398891864f231ef08a8b30dc2ef6ba6e9c34826dc9f53

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a8D51.bat

Filesize
722B

MD5
3c655cf618db5e50bcd00d3e34a9fedc

SHA1
44ea1b3e2a394b4d49c5b6a7a183093d328a01ed

SHA256
a763cf3f44985116099e43fc317c0393c19c32d3b74287656e2a6373fad25304

SHA512
cc3cfadf192e19c1edaed35b6d034e3b162a9ed354bc6610fa8e7815bc5c21867597d4263a4071e9bd16c7b02a524c408f7ed0cd4bffc60f9e00d4a30e119dc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a8DDE.bat

Filesize
722B

MD5
f423c1a092ac4875abf7fbe993a5ccd0

SHA1
91689bdec2ae29734dd7af30eb21b7c408fe3a56

SHA256
fc2d9a5dfc11c3cb1df527e07713be771432174d046e4a81ee1e815e3d6d2d5d

SHA512
1b0afcc0ba13e8854cc7785e009b100500a555a6a252177963885b680e3392b183531ea3ce66000bde1bbab35cffae0e192990c05a43d2090d28e927facd2545

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a8E99.bat

Filesize
722B

MD5
e0df5ffc5cd50e2785bfcf1d4713dc6a

SHA1
fec7f62611946eb7c63fa656bdf091a9aa51352c

SHA256
d6bda83039ac8f2585d4df0c6a9f090d6004078c2ddf7a5b27ba59d62b6b9d6b

SHA512
b353e0bdc458df04076575d4ead6581744b3216ebeaf303bcfd455fdee436aadfc5f6b0f27382791006f3b216e978b15f9845d7b4895d4fdac35360c967b1bc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a8F45.bat

Filesize
722B

MD5
6783de6b9d972d246440e2ec1b05ee68

SHA1
7f115c7f111cff1dd990a1bab11ff9e80caf9bc7

SHA256
eeb1e385924bd964852f14a8dd5d398fc7b8274423b96df3de65f8cf0a62b38b

SHA512
3622435573b3de29a8f4d1f0d2827f1a868be0e4d84f190fc21a1326040bc420b170977ae72227e6ccc7cdada362140cb5ef9e7cf1bfeaaf0e73b1d96dcced85

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a8FF0.bat

Filesize
722B

MD5
1f9945b6f57e4b6c21d1e00fd58fbc51

SHA1
63986ebd5f2a020a88cc6a071f8e510524afa669

SHA256
1f8d8358cd64858644e897ae20b0cac6c565fd381d6d06d8acf8823ccd278ec8

SHA512
c2ed4ea98f71262dec7fb9f83b0df3db74a7b308667156f22cbe3332c6ef35dde85f28c8667a036b9da349af83f5dd411efcf293211c86f4ecb741f2d7f28096

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a907D.bat

Filesize
722B

MD5
79ae597f0b5e60bbd0646121595e462f

SHA1
0864a7d6b95b25dce8e6826374ca3e828fede08d

SHA256
41a80b75ccb501b98b14a5a675cf289dcbdb5eaf3658c25f1bda3e2b4aa295db

SHA512
e0e8b76ff790c961923a3a89ed12f61f9104235a9a8699209cb87bb70aac6f6817b44c8a9faf3e2daddf8af54a29c6c49aa9245094da8fa918fa2e813d322c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a9109.bat

Filesize
722B

MD5
42e6a27405948b76374930fea39d04b7

SHA1
4cff21e735eece0bcf8d8738764e3d97f623e143

SHA256
0ab328de02cca5793d3d52bca4fcbd26be0d2def49d5a9f46d5cd7dfd2701886

SHA512
bf8d46ba7243ab021b91286f144f855bc660032cf5b9fa5005fbc5cae02bb7f903ddf4bb64416f5a5b24dda7d8c6a19d60c3538c2c9c00d311271033c8e9ee6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a91C4.bat

Filesize
722B

MD5
5ee1edcaa4810d1293e8a06ff718381e

SHA1
7a339bb56d83b2c934d8a1742501572cc6830652

SHA256
f427712e00e8c22428fa3818b1e22bf4b44b4b4bfa7d9ae44e3a084807316825

SHA512
e3b12b090698f912436b022bf0550420733da8b21845ef5f3ed47ea5e897f319c279768973db07f6553272303df93726e06f611e91bd087a0ffdcdd756403c82

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a9251.bat

Filesize
722B

MD5
f31ecf8eedb2b5709717cc7d277af6ba

SHA1
c58aacf6ce1749aa7471f167c4a98d0551a78c22

SHA256
1a9849da9027bc1419ed4ea80a67b0e052f973906e7490ac4fe4a6399a3814f6

SHA512
499f9e210232d7a7bf1b002d9bfd1a14f7cb3f89d0032babd3aff6f2554a74dc28de9b187687d0f196f9ee6ef9dd1bda295bbf41b9cd14fef2df18246e1557e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a930C.bat

Filesize
722B

MD5
611a367930b3f7137054bbc2d0e3f494

SHA1
675df060f4151b42699aa6783c166e1c3a19a045

SHA256
da7433d4526518c77eaaa5de514184d2cc9ba03c646f1c1f9353dab7db8bd376

SHA512
f3be3f53b7a7014ebb4982f37c700e5659260b56bd50eb5c2c24caf4e37d698d34558477ca4a9c6653b22412e938e727cd02a554927fb1c48276ada37f5d0a02

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a93E6.bat

Filesize
722B

MD5
ddbd4adbde324be3eb8f166cb048336b

SHA1
c63ebcad58c10ff95ba8fe881ed926b952f8fbd4

SHA256
90d89c80fec56d7662e10bcca8141d0725492ad3b8ffd2871035d08fc6745b31

SHA512
4490963fd3a266654d86441e47361a6190036238e6d89d9272358fda1b0418192884c3547cdde427651b505e8f2e6c9c6acbba2fcccddcd80b0f7a291f46ff08

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a94B1.bat

Filesize
722B

MD5
1376b23431c4dd0eb2b67e07ec143b89

SHA1
b2e77ee97e99cdb7b3feccbd427c798ebbcb49f3

SHA256
f0fc9b645838259f3f81fcafff1b41d9402bb01b56d4781be15baae274508f08

SHA512
0ad6253d802ffc38c38cfa53f706497b390a1bf8963dee289aaaff7f4e4c2a4cbd4f920edf79b79dfb7f9794c664fb630022eaee86045fe3c34063cd7466266e

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a956C.bat

Filesize
722B

MD5
7824f679346726fb8accfc1dd763777f

SHA1
8a4aff05755a3405acc6b6badab029faa20a9ced

SHA256
1439b3cb79e333727b9bdee23b0b1a570ca118c09153d62135a3934e6f6305e8

SHA512
b4da9365254ec6cfdeb118ad5703ddcaada54a942908d1659244d8182d322ddecdf8bd5564be443388004279d5a8ff1d63e8f515c904d37cc4fad17d4977fc26

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a9637.bat

Filesize
722B

MD5
b732c9f0e5257a0df5c4c9ea5e3e2238

SHA1
c9d349e2504da4ce299d5d84f87e9fd3174d83ff

SHA256
15c5a3408e903cb749e217249a13ab2005575201f73c41d27eac1ea70e88ed74

SHA512
324e788533263dedef30eb4a0e8366f1d4582fb571defab9fd66f2c3d428cf78404bdced6b8a451f03c38a224e0411cad625a9212e1b6934eea1948434ff9f84

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a96F2.bat

Filesize
722B

MD5
be04547ac50ca64e7d99ecb86dc006e8

SHA1
1b467bd8df8647c639dd55ab7b7dcc7d6d4342f3

SHA256
77a9e32453c844e98cc4aa1e975b27ada521e8ede26fc1c9c349243506968468

SHA512
47d8749d7cdf2f218b684f2a491a3bde564e579a70420c498726352a9aba4cdb195877845194054aaf769209bad2c354103f74038993478ca48e39a4d797a328

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a979E.bat

Filesize
722B

MD5
2c0c18b9261b1ed8c7bd8177a02bacd3

SHA1
c86d1c42e82d221d665757dea57a3eca6c8f52cf

SHA256
abc8af522d984e285333379a7ab90e58cc0403cf3d66b8afa3962abb5c9d6d4a

SHA512
4dab02fb6d5d6ccb63200705fb418f6f22cbd7eb2dc7ac75eb9fe4e4e808310c5422ed7767ff1e5bbe8fce9004b7a222423f50969d039b5904b1034e14cb25a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a982A.bat

Filesize
722B

MD5
b6b293d21895fea3e524212f73465a1d

SHA1
85453f054a66fbb26c3f52514d12012fe3abb459

SHA256
082d711654ad1f5e3b501f3c0dcc3a6fdd900631bd2369234b5020a681b1e15e

SHA512
6b210d2238ead4c4c04ad994a861c081f7dae58060d774486592e512010095b8fce5c852cb9196dc72234c89d318902a83fa7bf7bf5043633439b24a0e42fec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a98D6.bat

Filesize
722B

MD5
96459167fd5df63e01775e881d5b991d

SHA1
3f31f0f1327d81d8bc53851b0bbbcfdbecc41f63

SHA256
54561c10ad372b3b66fdd8c3e18e9b745eca4dab5e36db28c6bf921a4f73547d

SHA512
33bc6d0808c9a91fa1dd701c0cf5ed20730ddadeecffaefb79936853bfe49c7b3e0fd091f04d9e7fe77decb10206fbc3de79261bb2250d399427db4b0d3a53df

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a9972.bat

Filesize
722B

MD5
4492705703123aa2f90d98a6b30ce3b5

SHA1
1802aacb568bd56651b4d511ac973e0391362d48

SHA256
b74eee6f28da1c62996e3a5b596f95aed06ef4dfaf526f15c68e1ef9524921ea

SHA512
71dc73f8084ff52aec8a2fd9cdd326a1acaf539ad2ce2c70e84b1e297b5f8a4db47a2efc4724f554cfc1c259cfe526a722e5ad968df5095c3b3d7743e8d96804

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a99DF.bat

Filesize
722B

MD5
bc1a8160cc5145f1b0673d7e8734b09d

SHA1
9307afb08289157f9e84ad89a5af787e3bdf7b11

SHA256
93dd339307244d949ddb490bfb1792dcaf585267cd1bfe97db122022d3dfcfc1

SHA512
8ab0339cb69cc91e7eaf0f5dd202f82d8bf68c22c2d7958c9d676530178b2e63dd7cbf9b350fe2865101540ac2fa89021acd82a35becfc0e4c08599fe786f21c

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a9A5C.bat

Filesize
722B

MD5
a7cd2551bf7da5fd8ad20790b6a2cba0

SHA1
802d5b18b2abd2f8a4c4f57821b614798b2008a4

SHA256
37452d231e1302127a48a248a444f79aba7c1b1e5e9a4820e215dc875acc5c30

SHA512
190c1b2b76292eb3c2a21894907072643d16100283505d868355c505842f8890d272dd90236c2847b5c4f27c06ce06c3766ec48827164356765a8f636b8682d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a9AE8.bat

Filesize
722B

MD5
7379205cb5b8926651794861e3e43d76

SHA1
9985c73988679f158df182d4a5d0d8b8ab01df61

SHA256
298ab8e05f4bbb786dfcf1d580ed99d978856db601e39e1d237f5df90295d8e5

SHA512
1a7c2b6c3aeaca67e743dc89325aaaa195781205bfcbcbc65910d7918dc9a75478fa84555a1bb5c9a5f0df2ff0a6adfe2115563b85e0c90c70ad5430dfb94f57

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a9B55.bat

Filesize
722B

MD5
48aa5a7febff3261ce9faf726bf5d4bd

SHA1
0b511edbc1a447ee3b6dc0bfae5780fd490de75f

SHA256
28c4368b64a4c8ac98c00704a3155810df238b2880e4066a3a7d59f416e54dcb

SHA512
f26b630e0d3cc5eb524008153e0a59438ced2c061242c770e44cdc218b670d06fc804f14e71aceaedc9a6d24a81af3b401edac572812945cb6925b78a3b482f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a9BC3.bat

Filesize
722B

MD5
2c05de0dbed315b6db54252d695b8385

SHA1
91c783b7a7d4125e36d8b410ee049afe66a3bd11

SHA256
d27e2f56c230fa8185c452148df24c2b0ad2269225eab11d4eb87c2430389fcc

SHA512
0828bf07683ab7651a6c63b2c2091aeca94d64f14565f848385d8abcdcba5d75c926a870e8e15b03153b571548c404d483bc2e6948a73170bc4ddd14ceb3fb46

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a9C4F.bat

Filesize
722B

MD5
aa161a9f9352d0a7dc9871070e3a7a4d

SHA1
d5bd71b8305df766ef7434fd7e9644acde450517

SHA256
b682f7fa0fecf42b8bb2d2efb2c95fcbfa45477f8b43511d54ef173fe106ab27

SHA512
67cf5a2a7fcee92469541a619f84c72cc4095d48cc4d2ce8235b2e73b47516e805be00d0c9a6e1e244a6dcf7e5be8ab7991994810a322208cd039d609deddf94

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a9CBC.bat

Filesize
722B

MD5
88f4eb6c08937b4bc64142cc2f9c6fae

SHA1
c09b1902d49014ce165cff5488e882429697657e

SHA256
ee5351d63f35800a2dd81c58e69671e340ecd31543ddc6558ce3cdf95f413c6d

SHA512
6de807711a2f2fd51b4abf308a9bce9dc0be14d033afe52573a530919908dd214c813e336a16444776f08951b8f78415013b9b5532af703af09d449a16bfee07

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a9D49.bat

Filesize
722B

MD5
970c15c57a637183f0547754e64a0696

SHA1
100d103e78a004086a33c82a5cb3c98fca07d49f

SHA256
f623b042a5b12065e8e6574da69d86e4c45782a1bfcdc8e8de6358da9ab86f4e

SHA512
6fae9dc036678a1d925938b4d73972503eb01f9c8a4fe537e022c4754e1c7d0d257ea84354b14f7ddfe6c852b2b6af5927c007d152a939715cca85cf60fe0398

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a9DB6.bat

Filesize
722B

MD5
d8ea7e50d703c669a79ce53bdb55167a

SHA1
199208870d886757194cb992a1fcaa41c24fae52

SHA256
0369dec2f543da2406ba82463aa60cb62042a51afd319447061d365828eac374

SHA512
1bccf879e4ab3fbaf6a410cabc39aec6af06ce156cb825d88f129b6c2d77663140c44c08d60e1ecc04c7a3706c45faf49d9fb2999c1e2a7b82c5089825ccd128

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a9E61.bat

Filesize
722B

MD5
1a14d888582377466ca4f8fe2026fa78

SHA1
f357772b3e087d43e97b2c39253998ce1f88da44

SHA256
023db53c119253548757be02edd744ef3e27e7e3215c056362f8cc612afbe9cb

SHA512
e92bf9ad3d36ad9ca3ac90194fa8b1febb5ae9690a5a416c2feb4d08e573d4e1bf0c80d807ab7eb300ac23dbdd68f9d823d9cf8e6fead30757c0d342b7a4afd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a9EDE.bat

Filesize
722B

MD5
ba939e54277639d1861e5a3ea1882c05

SHA1
c2a5e6ae5122ed098fc152951dfdb6fcce3cd897

SHA256
84b15f0923cf0250d3eb5d6b41f01a1feb8f2b0bdcd8ef3c5ad5b03218c6f0e9

SHA512
e2fb4ad100461d672f7be0662700be6c869ab68f30e5a8d43f2be6061b4379219525c8dfeb3cf780c5c7d04a897429606beac4992d48cf511811087a76ef29c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a9F3C.bat

Filesize
722B

MD5
e33638812cc26ab1681097cfef7fedb4

SHA1
1cc3b9a7a3c0b92159b9f0a6399d05d0cedd9b42

SHA256
61d44e7d8d51f334903a84db98a3656b16d585c28db132111f36b624b14aae01

SHA512
5311aa7bd88e4230d52696be67d4e6972dc688186ce83e427817377c14379a0ee83fd9897ac35d8dece0ef342c4c6871d739b5cadb0df4fd791179a80a4cf80a

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a9FB9.bat

Filesize
722B

MD5
1aa8cc2c0db24c35a977dc914dc35908

SHA1
ca479dbc641aa023b614c2e6e9052474a4657355

SHA256
abfe825e13fbdbada6b54d285ed3f0955495dc002b6e2aa414c2b4287bbd38be

SHA512
6ef8b9ab80870f48f8e7be3ba0092338876dbfc2e6c1e7cfc393a0ad737f05a288a8aecd6aaccf6329cb2ef4f66ddc0bfb03a122f35e92ce081ecb83aa941984

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aA026.bat

Filesize
722B

MD5
dd6f9ee9a4a78ca8f7b0361b043de0f7

SHA1
778228fc503116007b2e69479ff0e82422107764

SHA256
d1c89c59922679e6d331cdf2006a8858cb7e823e24320d94fcf7cb851432ffeb

SHA512
433fc39cf482b90386925f5c8045d0bcefed2a18ff058eee3bb5fbd6b9fdd609bdb17619583fcc49d801a4889ab5df6b7e90dc71bcc4b5d9f0fb1a791061b327

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aA0A3.bat

Filesize
722B

MD5
441202d758ab2034e1ab9e5797c6e0ee

SHA1
574094f91e3368e513bde46fc86332735601bc3a

SHA256
a7a7e1b339af3abc8d5810a6b56a98b97a2cfdb90944c83cf372999dd795990f

SHA512
61f5399e9f5744d1eb3670ae3825171bf04e50addfd8d60cfc323f2c8f67cd6e710fef8328732085e537e7067a20af034f8e9e6d5485ba05c12f1ecb6df60852

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aA110.bat

Filesize
722B

MD5
b23c883fe14f98d4544301a353b7dd8c

SHA1
42c287897236fdd74594281f8413070d72e8fe25

SHA256
3980d62a876448b682041708ffac2e274dfd3ad07df617ae3693c003ad6d3f67

SHA512
d4dbac194dc367157ff5949ae65d30bd2f002fa421fe2d0baf3915d07cf80df89eafb643c65230b4bd33e30362858c37ddbbcc1c0153e9a047633bfca15078c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aA19C.bat

Filesize
722B

MD5
7835fc23b289c19a2190ee2d0319872f

SHA1
1d799af436fdaaba0ed084cd546a945994025815

SHA256
24c3dedbc8e98ccfbc49809b54cfafc44baf90a3bb028c9cea9fda8ed7650aff

SHA512
ef827fb11bc8279a5a62e907d6507999a41721adab5478b543dc61e529dcb91b2ae844c3125e1e2b859f38c401d8acdb8cf796c8e6bc7c731d215a7fb72c2727

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aA219.bat

Filesize
722B

MD5
02f208eef73ab464491e26cfe87f12e7

SHA1
4168f04c829eb4a9d724a84f8fbe38d20e25e3fc

SHA256
93a74555b65939cf5f68dcc009e66dcb161d97761f873bea0726a2dd9849e52f

SHA512
ea6c4d4c451b23693eafeb24cae05d8bdea57996ecaf4381aa3de2ec22fc7a94a89c31ed95cd304730103cad7cbb79468da8d7d885f84b781e60fe93521cf391

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aA2A5.bat

Filesize
722B

MD5
db9bc00a8a457d4cd1e9141a05ba35c6

SHA1
043769544cef84d37dcba82a136b5eaff1e0a77e

SHA256
b331654c798d53ff3ba0edbc1bb43d52c0faeb1f40b8ec4d32dd1e6e6cbca30c

SHA512
d9301a7f9bd4ca2cfbcdd3518609108abb21d6c40314f09dac25d228def6dbafeead094438c341b6b02a5705a8e9adee3af996e800078b8f941c28542513997e

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aA322.bat

Filesize
722B

MD5
27c62c32ef1f75f0cdf59179f28b9a22

SHA1
bc309011ac48892f554973f94c9c8c40ac5495bd

SHA256
9392e614ad7c0730d51f01c2c04a57b82af9ae6dca92230b99b8e0edccaf4e75

SHA512
9e739c9297c6e77917e06fb547c58e3e39375bae3d270dadc3acfab3ca09c88b2a578e422819899ad4b2ef62afd3fadcce091160852bf94363c1f6f295e5fde1

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aA38F.bat

Filesize
722B

MD5
4820fa8d38c195e972b253d7f1ed3980

SHA1
eae9c311341912513b450e337ed2dbbff6ca14f4

SHA256
3494059d4cee6f1dc6f14a8ad58d42f34e7fcdf3a9d5aecb5a174d4f3b42793b

SHA512
bdb6ff7f64321dc63dbdd6bbeca1a42058e6c66b2bcaaa2b6090944876f41393a1509566df703702c5c018d92cb4b118ba0560e103b38377d73b0ae237bc3667

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aA3ED.bat

Filesize
722B

MD5
37ea781a8ac84f415ec55e70596e4bdd

SHA1
4eb50c3b1818e1b8dc422009e988964de7777a1a

SHA256
570f06fef90f375cfc6df34c8cf71d91a50dfc969b57435fcd069dfabdfaf795

SHA512
fd9748aec3a93c48b5b2b74fa4bb4c798cf16370ba9c9076f99aaae343d7e208d37a6aa243fda5d7748856b830c0de8b4ef65e83600b608836a8798f36709365

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aA479.bat

Filesize
722B

MD5
da71f92bb309ff61a81a41b20c8f70d7

SHA1
565aa6a0585f0337ca894d9071d3e51cb30cfd9c

SHA256
eea1c847fc7dd1ad63b6d3efa0bc849729cfd2e500fd0e3d7485451bfa12944d

SHA512
0597cdd9ada941dd088817aec8e378fc86bb1dd4bbc31792ad781ce75a3dc859a60a95a9c5b312990eebd6bd010073b284d28a2bf2b75919096af7cb3af45fb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aA506.bat

Filesize
722B

MD5
40c23d9b3140673f0aad68485b4dde9f

SHA1
e668612e810ed89d18dde58865853a61ed756a36

SHA256
4da00abf4ea4a915c176ce197a9dbd1b0090fa9e8fd3e96cc286a93118dcdd7d

SHA512
f7fd6318c0b19eed9c6f0cabfc648f5136608851d731717801138645c9396aa721742d42b2f2072e2c0932f830192672f93d43084d19fdfda079d6a043f21931

Download Submit
C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe.exe

Filesize
2.2MB

MD5
0655f93740d40e73a63659f993376388

SHA1
84e3cc33c3c25c26392128ea0dc5062cbc89c8ed

SHA256
e5301178fee0cf24e3a15b43642c7d1da8ebe5e945cdeee6e4688d9e72f82b15

SHA512
91e7b34f63c9b4a3a9077462254238d4024553fe189d598f8ee913ef2f45293472e3244870659e88e33beddc184ecc48e1812ac9a912d9bc9fcf4fd5b9c12ed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe.exe

Filesize
2.1MB

MD5
286dfd9e19e5bb83a98ac2b2e20a7403

SHA1
f4ca430d2669af6a56f89a1c3adfb6cca459cc60

SHA256
060afb27e8d052abd7965c922e4b826e3325db24646037b3dd6b92aad77f1858

SHA512
45742bbb0017f2a25b4ee773504a7369b5d0d454bb570192fb05e4747d80ab0240f99bbf2c8484ccfa44978db1b3c815c378d0efad66bf6161b67639c81f716f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe.exe

Filesize
2.3MB

MD5
ee5224c7af0ca448809311f5d5d0ac92

SHA1
6e9d7c7b30a008db94a17f40bd0df234b34b035e

SHA256
1e631817553d5d6546691864c336086c6e6158b7031d93abd85b7be28f952e95

SHA512
46dd8f473c8b28d152d9d176b2f7c3e670c61f58eda2ab21a6e5fcfd328fbb57ca57d38419e5228a2db8057bd9c53048650985bde5d2f0106d53c1ce0dd4ff19

Download Submit
C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe.exe

Filesize
2.6MB

MD5
318d2c741656f06f7d7aa2da999a32f9

SHA1
0522ded7028b5cabcacf251fa66bbaa97658eb14

SHA256
c210b2aa9f380a879cddb6ee08021795b54665a16232f3451ba4acc42f75d51b

SHA512
5f4ef057b74e27fde7970f714db3fbc9585ffe4ef3096c89297b4a892446c4790373dfe2c6b0c784c25869c0a85ba22d71627c2012b4b9011e46ac3f840c9fe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe.exe

Filesize
2.4MB

MD5
3baae1aacb86eefd1732edd07f95936f

SHA1
e8e6b0b06ebae55a45c6405e27d131076b280208

SHA256
055e7eb2f930f945226daf682591695c6895cfc321c30a1ed1c580d3addcec25

SHA512
3a8d665f83c8ce15e4f093bdc10ed4388d8ce603c8f6ea41741f56909659afd46ef8a1bd9d49e065e9a7abe5f400f0660aaaff1956b26f6b1abb7ca213f6d752

Download Submit
C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe.exe

Filesize
2.4MB

MD5
58231e8a54a4d5ad10981a9261d6df2f

SHA1
79fd962af3dede9832de8856fb96b7723cc2ef09

SHA256
1a2fd6986c0d5d25002b7ef2ffdeab383f7cb19ead19248c7207e5d26bd67f99

SHA512
7e53168e58d3c2d8472a589a711366d932f5295e330544b6ded5a32e44d857f823465ef572ff5d2145ebb5e9d597913c91b6e798177c8d81876bd63eaadb94e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe.exe

Filesize
2.4MB

MD5
ac788323972e7ee7243e740ff2f8daae

SHA1
6acd6d700849ca9ad064481461f4b7988dab1945

SHA256
5e7a0c5ef3211fc58e0eca20df194b478942534d5968441fc354686ba7222ebe

SHA512
ba1e52d4d8ea9400b359ef4982504010bd12a007d174ac86187050368c03b78e89b51324429d909741e4f1598be2eab28d0b400f0698b8e085f12beeb6921778

Download Submit
C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe.exe

Filesize
2.3MB

MD5
ead3d576cab6bb3e77414935b36ace66

SHA1
e347ab64ced05a4e50b4905cb800147620a18e6a

SHA256
5600effef951ba7fa3bed54b59a857bc26814b45e68c7462f67b1714258b73f5

SHA512
38fd77828d2d8796a33b52e0b57cefb792064a9cef691c8dab97331321a3b3eae6a7c0918c3617a00bab16a686f52c9296ffb022d2b78bcaaa51e9cd1146112d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe.exe

Filesize
2.2MB

MD5
14b760d79bf066c92c043709056178ab

SHA1
153176def6ae9b5e3db4a1d70d30a65d315d3276

SHA256
b410192124d4903c587feeb9837753fac84c61209f3ae1d0b79bff93de82d2d2

SHA512
2d66ecf676de0fd9b18ad3db0ed2b4dbb3ab1a88519303155af4a396bde4ab900e0c7891de96d93037669ba16f76d6bd8cd21b0cf73737a65bb5bca422a9c355

Download Submit
C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe.exe

Filesize
2.1MB

MD5
7b781c296c9518ce7e93f77b8fe3bda3

SHA1
124bd189e2510f852183f51faf67278c8cd1b2e6

SHA256
c50db397ecab6ee6a577d51d1f81d51cb99b2ce149797c8d8c0d59882ab2a7d6

SHA512
24be4115fa2230e35649dce2d1536f25f3df3a7192e530a87cdda00393f1de715264acbab98c745ea7f65f64ce713d01598ed031ada25a61c66a830b2e872c1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe.exe

Filesize
2.5MB

MD5
082e82ae38f578da89a8fb10407dd43d

SHA1
efa9c8f351a27e0534213096b10e43468e69f4fe

SHA256
7a0e4349ed98deafa6f26ddd1289a9c671fbbcf2f8d3fdfb45acfe809e89f0a7

SHA512
be73b48aed9fbedf424c65cd5c6d83442f628205856364ed57d5eaceda20ed852d613456e376e7fd85c17bb9be533e6695894af0578a6625788b80069ac6a23d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a453f0d33c3d3e90eaf1be477160097e69f91be5f5cbd30eb28524390f5c35cf.exe.exe

Filesize
2.5MB

MD5
2d8020710bd51a9280bb8c23c28bff6a

SHA1
3b6ad35921dd59358b04ec304b922a7aaa2149e0

SHA256
c58bcec14503c2167a549ddec40418a4151c1624287f76961539d66e52bc7146

SHA512
d7e146017539111d7f45efa9260d3ac12840ec34574ed6512a3c498ff368eabfe68ae5117c34207170057e81361daceda7ece2c48b25642dc2ee33b82b0b8b6b

Download Submit
C:\Windows\Logo1_.exe

Filesize
44KB

MD5
6d85a04f5bb329cbba3880c43337ec52

SHA1
8c2e62f730619b2e06a5fb802e115606b664525a

SHA256
ff95e5e3fea6e5f9692d24c81ab36bae1013658a34bc60cdcd9b4c591e7feec1

SHA512
31919b83c1b66e4eb99612c6b23a7dfc1cd107e51e3178bc8fb695c8243d7493f43b05a4ab8d0880763aa584ccbecdb1b61b31f0a66d8a92938884b9ef04daf8

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3434294380-2554721341-1919518612-1000\_desktop.ini

Filesize
9B

MD5
888e0958022ac10e914e1c9ca3f383ab

SHA1
37d80b3ecaacfed7092fcbe70d7c1000a5246e09

SHA256
627942d6123a7fed1e8414a3d46906af51b7c5f06837df6d288707d29a84e1a1

SHA512
a643219412a29dde13c4d0a9619dbdea00193e91276e163edf546f3392c704a8c2936a2c27d2a0206bfc3ca592d7d79be849c51a1d9af0e4d237cd3dc47eeec4

Download Submit
memory/108-127-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/112-2597-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/344-2616-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/648-1586-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/688-1273-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/700-679-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/748-2163-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/812-2674-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/860-232-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/984-2125-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1152-1127-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1200-62-0x0000000002DF0000-0x0000000002DF1000-memory.dmp

Filesize
4KB

Download
memory/1228-1669-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1256-252-0x0000000000320000-0x000000000036D000-memory.dmp

Filesize
308KB

Download
memory/1336-2541-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1432-2654-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1472-197-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1512-202-0x00000000001C0000-0x000000000020D000-memory.dmp

Filesize
308KB

Download
memory/1512-203-0x00000000001C0000-0x000000000020D000-memory.dmp

Filesize
308KB

Download
memory/1628-237-0x0000000000170000-0x00000000001BD000-memory.dmp

Filesize
308KB

Download
memory/1672-2680-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1720-2568-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1768-2164-0x0000000000420000-0x000000000046D000-memory.dmp

Filesize
308KB

Download
memory/1812-2664-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1812-2655-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1916-2075-0x0000000000160000-0x00000000001AD000-memory.dmp

Filesize
308KB

Download
memory/1940-869-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1964-2182-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1972-781-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1976-2154-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1976-2675-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2016-2607-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2020-395-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2044-1794-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2056-18-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2056-16-0x0000000000310000-0x000000000035D000-memory.dmp

Filesize
308KB

Download
memory/2056-12-0x0000000000310000-0x000000000035D000-memory.dmp

Filesize
308KB

Download
memory/2056-0-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2144-2521-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2204-2634-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2264-109-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2276-482-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2276-2665-0x0000000000100000-0x000000000014D000-memory.dmp

Filesize
308KB

Download
memory/2284-2625-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2308-2577-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2316-55-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2432-2173-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2440-2332-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2464-214-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2496-2144-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2508-598-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2540-73-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2540-2587-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2556-2644-0x0000000000240000-0x000000000028D000-memory.dmp

Filesize
308KB

Download
memory/2592-28-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2592-38-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2608-1992-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2612-2550-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2640-2389-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2640-2643-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2692-2598-0x0000000000340000-0x000000000038D000-memory.dmp

Filesize
308KB

Download
memory/2720-2145-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2720-2681-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2720-78-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2784-2531-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2836-300-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2872-1388-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2928-2588-0x0000000000320000-0x000000000036D000-memory.dmp

Filesize
308KB

Download
memory/2940-248-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2940-2228-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2944-2126-0x0000000000210000-0x000000000025D000-memory.dmp

Filesize
308KB

Download
memory/2948-94-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2964-1464-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3036-1880-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3044-2559-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3044-991-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3056-2090-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3068-142-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3068-2135-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download